Lotus Domino Web server 'Accept-Language' stack overflow

Technote (FAQ)


Question

MWR InfoSecurity contacted IBM® Lotus® to report a potential denial of service vulnerability with the Lotus Domino® Web server. The vulnerability exposes an issue with the Domino Web server when it processes an HTTP request that contains specific "Accept-Language" content.



The MWR InfoSecurity advisory can be accessed at the following link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2240

The CVE Identifier is CVE-2008-2240.



Cause

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:

  • Domino Web server task (HTTP) must be enabled
  • Attacker must be able to connect to the Domino Web server
  • Attacker must create an HTTP request that includes the vulnerable "Accept-Language" syntax
  • The Domino Web server processing the malicious request could result in a Denial of Service.

If the Domino server does crash, it could result in the following stack trace in the NSD:


nlsccstr.dll!ccSTRIOpenStrSessionInt(LNO_INFO * * phStr=0x61616161, const void * pCountry=0x61616161, const void * pLanguage=0x61616161, cctSTRCharSettag CSId=1633771873, unsigned char OptGroup='a', unsigned short * pSubstChar=0x612fb17c, cctSTRIAnchorBlockTag * pAnchorBlock=0x06054ae4, unsigned long StrSessionFlags=0) Line 898 + 0xe C 61616161()
nnotes.dll!OSGetCachedCLS(unsigned short CSID=256, char * CtryLang=0x078d146c) Line 2674 + 0x46 C
nnotes.dll!DominoUnEscape(unsigned short TokenType=1, int bLmbcsInput=0, const char * In=0x078e206f, unsigned short InLen=22, char * Out=0x07ddf078, unsigned short * OutLen=0x07ddf004, char * pLang=0x078d146c) Line 1249 + 0xe C
nnotes.dll!TranslateURITokenToLMBCS(const char * EncType=0x017a73c0, unsigned short TokenType=1, int bLmbcsInput=0, const char * In=0x078e206f, unsigned short InLen=22, char * Out=0x07ddf078, unsigned short * OutLen=0x07ddf004, char * pLang=0x078d146c) Line 406 + 0x23 C
ninotes.dll!CmdURL::DecSegmentFull(unsigned short type=1, char * segment=0x078e206f, int segmentLen=22, char * buf=0x07ddf078, int bufLen=32, int isLmbcs=0) Line 1700 + 0x2d C++
ninotes.dll!CmdURL::DecodeSegment(unsigned short type=1, char * segment=0x078e206f, int segmentLen=22, char * buf=0x07ddf078, int bufLen=32, int isLmbcs=0) Line 1595 C++
ninotes.dll!CmdURL::SetCommandId() Line 913 + 0x2b C++
ninotes.dll!CmdURL::Init(int & retIsOurs=0, unsigned int httpMethodType=2, const char * reqUrl=0x07544ee0, const char * reqPath=0x07544af0, const char * reqQuery=0x07544afc, unsigned long fl=2, unsigned short (void *, unsigned short, char *, void *, UNIVERSALNOTEID_tag *, unsigned short *, char *, int)* lookupFcn=0x014b8720, void * lookupData=0x07ddf438) Line 341 + 0xc4 C++
ninotes.dll!InotesHTTPPreAuthenticate(_InotesHTTPrequest * ihReq=0x07544690) Line 2434 + 0x78 C++
nhttpstack.dll!HTInotesRequest::PreAuthenticate() Line 758 + 0xc C++
nhttpstack.dll!HTRequestExtContainer::PreAuthenticate() Line 625 + 0x19 C++
nhttpstack.dll!HTRequest::ProcessRequest() Line 1690 + 0x21 C++
nhttpstack.dll!HTSession::StartRequest() Line 551 + 0x11 C++
nhttpstack.dll!HTWorkerThread::CheckForWork() Line 216 C++
nhttpstack.dll!HTWorkerThread::ThreadMain() Line 83 C++
nhttpstack.dll!HTThreadBeginProc(void * arg=0x02b980f4) Line 40 C++
nnotes.dll!ThreadWrapper(void * Parameter=0x00000000) Line 1037 C
kernel32.dll!7c80b683()


Answer

This issue was reported to Quality Engineering as SPR# MKIN79DR9S, and has been fixed in Domino 7.0.3 Fix Pack 1 (FP1) and 8.0.1. Refer to the Upgrade Central site for details on upgrading Notes/Domino.





Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.8 >
---- Impact Subscore: < 6.9 >
---- Exploitability Subscore: < 10 >
CVSS Temporal Score: < 6.1 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 6.1 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Low >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < None >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information

A simplified Chinese translation is available


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino
Web Server

Software version:

6.0, 6.5, 7.0, 8.0

Operating system(s):

Linux, Windows

Reference #:

1303057

Modified date:

2009-01-29

Translate my page

Machine Translation

Content navigation