Bugtraq: Lotus Domino Web Access Malicious Email View Remote Denial of Service Vulnerability

Technote (FAQ)


Question

A posting to Bugtraq reports that an attacker can craft and send a malicious email that will cause the Domino Server to crash if viewed using the Domino Web Access client. The body of the email must be 12 MB or greater.

The original advisory address is as follows: http://www.securityfocus.com/bid/10641

Additional advisories containing the same information have been also been posted on various sites.

Answer

This issue was reported to Lotus Quality Engineering as SPR # KMES5YA2Q8 and the issue has been addressed in Domino Web Access 6.5.3. IBM Lotus also plans to address this in an upcoming maintenance release of 6.0.x.

Excerpt from the Lotus Notes and Domino Release 6.5.3 MR fix list (available at http://www.ibm.com/developerworks/lotus):

Mail

  • SPR# KMES5YA2Q8 - Fixed a potential denial of service. This regression was introduced in 6.5. See technote# 1173969 for more details.

The following workaround can be used to prevent this issue from occurring:

In the Router/SMTP tab of the Server Configuration document, switch to the Restrictions and Controls tab and under Restrictions, set the Maximum Message Size to less than 12 MB. For example:

Maximum message size: 11000 KB

In this example, messages over 11000 KB (11 MB) will be prevented from being placed in the Mail.box on your server.

Hide details for Sample callstack of KMES5YA2Q8Sample callstack of KMES5YA2Q8
Sample callstack of KMES5YA2Q8

############################################################
### FATAL THREAD 47/124 [ nHTTP:08b4:0afc]
### FP=0x11b3a6a0, PC=0x60002c5d, SP=0x11b3a684, stksize=28
### EAX=0x00000000, EBX=0xffffffff, ECX=0x0001b000, EDX=0x3197f0e8
### ESI=0x00000000, EDI=0x18f11c74, CS=0x0000001b, SS=0x00000023
### DS=0x00000023, ES=0x00000023, FS=0x0000003b, GS=0x00000000
Flags=0x00010246
Exception code: c0000005 (ACCESS_VIOLATION)
############################################################
@[ 1] 0x60002c5d nnotes._OSFreeBBlock@12+13 (ffffffff,1b000,0,3197f0e8)
@[ 2] 0x6000ce14 nnotes._OSLocalFree@4+68 (3197f0f4,11b3a6d4,4827fe,3197f0f4)
@[ 3] 0x00482910 NINOTES.INProcessNotesLocalMemory::Deallocate+16 (3197f0f4,11b3a6e0,482bdc,3197f0f4)
@[ 4] 0x004827fe NINOTES.INProcessMemory::Deallocate+30 (3197f0f4,11b3a6ec,482bfc,3197f0f4)
@[ 5] 0x00482bdc NINOTES.operator delete+12 (3197f0f4,11b3a6f8,484f3c,3197f0f4)
@[ 6] 0x00482bfc NINOTES.operator delete[]+12 (3197f0f4,11b3a724,484e73,3197f0f4)
@[ 7] 0x00484f3c NINOTES.MemoryStream::FreePage+12 (3197f0f4,18f11c74,0,484dc1)
@[ 8] 0x00484e73 NINOTES.MemoryStream::Close+19 (18f11c74,11b3a7e4,50430a,1)
@[ 9] 0x00484d6b NINOTES.MemoryStream::`scalar deleting destructor'+11 (1,0,18f11c74,0)
@[10] 0x0050430a NINOTES.RefObject::DelRef+106 (11b3bca0,11b3bc98,18f140f4,65d8e8)
@[11] 0x0053f7d8 NINOTES.Haiku::GenerateHtml+1144 (ff800f4,77e41d83,18f140f4,0)
@[12] 0x00565387 NINOTES.Haiku::HandleDominoCmd+375 (18f140f4,18f140f4,fe9778,77e41d83)
@[13] 0x0053eae0 NINOTES.Haiku::HandleCmd+1040 (18f140f4,fe9778,0,18f140f4)
@[14] 0x00440077 NINOTES.CmdHandlerBase::PrivHandle+103 (18f140f4,0,0,fe9778)
@[15] 0x0043e15b NINOTES.CmdHandler::PrivHandle+123 (18f140f4,18e958f4,18f140f4,18f180f4)
@[16] 0x0043e27d NINOTES.CmdHandler::Handler+221 (18f140f4,fe9778,77e41d83,0)
@[17] 0x004384ba NINOTES.Cmd::Execute+58 (ef70eec,ef70c08,0,66d094)
@[18] 0x0047f313 NINOTES._InotesHTTPProcessRequest+1715 (ef70efc,ef70eec,ef70c08,0)
@[19] 0x0047ec8f NINOTES._InotesHTTPProcessRequest+47 (ef70efc,3,18f90084,427f0)
@[20] 0x100140a4 nhttpstack.HTInotesRequest::ProcessRequest+36 (ef70c08,ef70aa4,0,3)
@[21] 0x100101b1 nhttpstack.HTRequestExtContainer::ProcessRequest+545 (5,101aefc,9d8b2f8,0)
@[22] 0x1001cf3a nhttpstack.HTRequest::ProcessRequest+1722 (0,ef35992,0,11b3ff24)
@[23] 0x100215a6 nhttpstack.HTSession::StartRequest+790 (ef3599e,ef35992,0,60092571)
@[24] 0x1002a9cd nhttpstack.HTWorkerThread::CheckForWork+285 (3,ef35992,10027a80,10027aaa)
@[25] 0x1002a857 nhttpstack.HTWorkerThread::ThreadMain+87 (ef35992,0,0,0)
@[26] 0x60115d84 nnotes._ThreadWrapper@4+212 (0,0,0,0)
[27] 0x77e4a990 KERNEL32.FlsSetValue+1913


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino Web Access

Software version:

6.0, 6.5

Operating system(s):

Linux, Windows

Reference #:

1173969

Modified date:

2004-10-28

Translate my page

Machine Translation

Content navigation