CVE-2003-0122
CVSS5.0
发布时间 :2003-03-18 00:00:00
修订时间 :2016-10-17 22:29:47
NMCOS    

[原文]Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field.


[CNNVD]Lotus Notes协议验证远程缓冲区溢出漏洞(CNNVD-200303-048)

        
        Lotus Notes和Domino服务器支持私有协议称为NotesRPC。一般称以Notes协议命名,这个协议绑定在TCP 1352口,但也可以使用NetBIOS、Netware SPX、Banyan Vines和modem拨号来传输。
        Lotus在处理验证过程中存在漏洞,远程攻击者利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        当Notes客户端连接服务器的时候,会与服务器建立会话以进行验证,验证包括客户端和服务器端一系列挑战交换。未授权客户端在交换阶段可以提交恶意数据而在Notes服务器端上触发缓冲区溢出。
        在NotesRPC验证过程中,客户端发送辨别名(distinguished name (DN))服务器端,辨别名是类似"CN=John Smith/O=Acme/C=US"的字符串,DN字符串前缀是一个16bit长的字段,外部数据包结构包含一个头部字段提供DN字段长度的参考(前缀长度加上DN自身的长度)。
        如果外部头结构中的指定的长度小于或等于DN字段中的长度,会由于数据偏移量算法的错误导致发生基于堆的破坏(如把65534字节拷贝到Notes堆中)。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ibm:lotus_domino:4.6.3IBM Lotus Domino 4.6.3
cpe:/a:ibm:lotus_domino:4.6.4IBM Lotus Domino 4.6.4
cpe:/a:ibm:lotus_domino:5.0.7aIBM Lotus Domino 5.0.7a
cpe:/a:ibm:lotus_domino:5.0.4::solaris
cpe:/a:ibm:lotus_notes_client:5.0.9aIBM Lotus Notes Client 5.0.9a
cpe:/a:ibm:lotus_domino:5.0.9aIBM Lotus Domino 5.0.9a
cpe:/a:ibm:lotus_notes_client:5.0.4IBM Lotus Notes Client 5.0.4
cpe:/a:ibm:lotus_domino:5.0.8:::french
cpe:/a:ibm:lotus_domino:4.6.1IBM Lotus Domino 4.6.1
cpe:/a:ibm:lotus_notes_client:5.0.5IBM Lotus Notes Client 5.0.5
cpe:/a:ibm:lotus_domino:5.0.4aIBM Lotus Domino 5.0.4a
cpe:/a:ibm:lotus_notes_client:5.0.3IBM Lotus Notes Client 5.0.3
cpe:/a:ibm:lotus_notes_client:5.0.10IBM Lotus Notes Client 5.0.10
cpe:/a:ibm:lotus_domino:5.0IBM Lotus Domino 5.0
cpe:/a:ibm:lotus_domino:5.0.6aIBM Lotus Domino 5.0.6a
cpe:/a:ibm:lotus_notes_client:5.0.1IBM Lotus Notes Client 5.0.1
cpe:/a:ibm:lotus_notes_client:5.0.2IBM Lotus Notes Client 5.0.2
cpe:/a:ibm:lotus_domino:5.0.8aIBM Lotus Domino 5.0.8a
cpe:/a:ibm:lotus_notes_client:5.0.11IBM Lotus Notes Client 5.0.11
cpe:/a:ibm:lotus_domino:5.0.1IBM Lotus Domino 5.0.1
cpe:/a:ibm:lotus_domino:5.0.2IBM Lotus Domino 5.0.2
cpe:/a:ibm:lotus_domino:5.0.7::solaris
cpe:/a:ibm:lotus_domino:5.0.5IBM Lotus Domino 5.0.5
cpe:/a:ibm:lotus_domino:5.0.6IBM Lotus Domino 5.0.6
cpe:/a:ibm:lotus_notes_client:5.0IBM Lotus Notes Client 5.0
cpe:/a:ibm:lotus_domino:5.0.3IBM Lotus Domino 5.0.3
cpe:/a:ibm:lotus_domino:5.0.11IBM Lotus Domino 5.0.11
cpe:/a:ibm:lotus_domino:5.0.9IBM Lotus Domino 5.0.9
cpe:/a:ibm:lotus_domino:5.0.10IBM Lotus Domino 5.0.10
cpe:/a:ibm:lotus_domino:5.0.8IBM Lotus Domino 5.0.8
cpe:/a:ibm:lotus_domino:5.0.5:::french
cpe:/a:ibm:lotus_notes_client:r5IBM Lotus Notes Client R5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0122
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0122
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-048
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0125.html
(UNKNOWN)  VULNWATCH  20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication
http://marc.info/?l=bugtraq&m=104757319829443&w=2
(UNKNOWN)  BUGTRAQ  20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication
http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101
(VENDOR_ADVISORY)  CONFIRM  http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101
http://www.cert.org/advisories/CA-2003-11.html
(UNKNOWN)  CERT  CA-2003-11
http://www.ciac.org/ciac/bulletins/n-065.shtml
(UNKNOWN)  CIAC  N-065
http://www.kb.cert.org/vuls/id/433489
(UNKNOWN)  CERT-VN  VU#433489
http://www.rapid7.com/advisories/R7-0010.html
(UNKNOWN)  MISC  http://www.rapid7.com/advisories/R7-0010.html
http://www.securityfocus.com/bid/7037
(VENDOR_ADVISORY)  BID  7037
http://xforce.iss.net/xforce/xfdb/11526
(UNKNOWN)  XF  lotus-nrpc-bo(11526)

- 漏洞信息

Lotus Notes协议验证远程缓冲区溢出漏洞
中危 边界条件错误
2003-03-18 00:00:00 2006-09-21 00:00:00
远程  
        
        Lotus Notes和Domino服务器支持私有协议称为NotesRPC。一般称以Notes协议命名,这个协议绑定在TCP 1352口,但也可以使用NetBIOS、Netware SPX、Banyan Vines和modem拨号来传输。
        Lotus在处理验证过程中存在漏洞,远程攻击者利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        当Notes客户端连接服务器的时候,会与服务器建立会话以进行验证,验证包括客户端和服务器端一系列挑战交换。未授权客户端在交换阶段可以提交恶意数据而在Notes服务器端上触发缓冲区溢出。
        在NotesRPC验证过程中,客户端发送辨别名(distinguished name (DN))服务器端,辨别名是类似"CN=John Smith/O=Acme/C=US"的字符串,DN字符串前缀是一个16bit长的字段,外部数据包结构包含一个头部字段提供DN字段长度的参考(前缀长度加上DN自身的长度)。
        如果外部头结构中的指定的长度小于或等于DN字段中的长度,会由于数据偏移量算法的错误导致发生基于堆的破坏(如把65534字节拷贝到Notes堆中)。
        

- 公告与补丁

        厂商补丁:
        Lotus
        -----
        运行R5.0.11及之前版本的用户建议升级到R5.0.12和R6.0,由于R6.0 Gold存在其他漏洞,建议用户升级到2003-02之后发布的R6.0.1版本。
        Domino incremental installers可从如下地址获得:
        
        http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r

- 漏洞信息

10828
IBM Lotus Notes Server NotesRPC Authentication Long DN Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-03-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IBM Lotus Notes Protocol Authentication Heap Corruption Denial Of Service Vulnerability
Boundary Condition Error 7037
Yes No
2003-03-06 12:00:00 2009-07-11 08:06:00
Discovery of this vulnerability credited to Rapid7, Inc.

- 受影响的程序版本

Lotus Notes Client 5.0.11
Lotus Notes Client 5.0.10
Lotus Notes Client 5.0.9 a
Lotus Notes Client 5.0.5
Lotus Notes Client 5.0.4
Lotus Notes Client 5.0.3
Lotus Notes Client 5.0.2
Lotus Notes Client 5.0.1
Lotus Notes Client 5.0
Lotus Notes Client R5
Lotus Domino 5.0.11
Lotus Domino 5.0.10
Lotus Domino 5.0.9 a
Lotus Domino 5.0.9
Lotus Domino 5.0.8 a
Lotus Domino 5.0.8 -french
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.8
Lotus Domino 5.0.7 a
Lotus Domino 5.0.7
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.6 a
Lotus Domino 5.0.6
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.5 -french
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Server
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.5
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.4 a
Lotus Domino 5.0.4
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.3
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.2
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.1
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0
Lotus Domino 4.6.4
- Microsoft Windows NT 4.0
Lotus Domino 4.6.3
Lotus Domino 4.6.1
- Microsoft Windows NT 4.0
Lotus Notes Client 6.0.1
Lotus Notes Client 6.0
Lotus Notes Client R6
Lotus Domino 6.0.1
Lotus Domino 6.0
Lotus Domino 5.0.12
IBM Lotus Notes 6.0.1
IBM Lotus Notes 6.0
IBM Lotus Notes 5.0.12

- 不受影响的程序版本

Lotus Notes Client 6.0.1
Lotus Notes Client 6.0
Lotus Notes Client R6
Lotus Domino 6.0.1
Lotus Domino 6.0
Lotus Domino 5.0.12
IBM Lotus Notes 6.0.1
IBM Lotus Notes 6.0
IBM Lotus Notes 5.0.12

- 漏洞讨论

A heap corruption vulnerability has been reported for Lotus Notes and Lotus Domino. The vulnerability exists in the NotesRPC authentication protocol used by Notes clients and servers.

When authenticating against a Notes server, a client sends data regarding its DN. Manipulation of some header fields in the data packets sent to the Notes server will trigger an arithmetic error which will result in the corruption of heap memory.

An unauthenticated Notes client can exploit this vulnerability by connecting to a vulnerable Notes server and manipulating the contents of the data that is being exchanged with the server. This will trigger the overflow condition and will result in the corruption of sensitive heap memory with attacker-supplied values and lead to a denial of service condition.

This issue was originally described in BID 7036. It is now being assigned its own BID.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

These issues have reportedly been fixed by upgrading to R5.0.12, R6 Gold, and 6.0.1. Administrators are urged to apply the upgrades and also follow best practices as well as all available mitigating strategies.

Fixes for Notes and Domino can be found at the Notes/Domino Downloads link in the References section.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站