IBM Support

Lotus Domino Web server 'Accept-Language' stack overflow

Technote (FAQ)


Question

MWR InfoSecurity contacted IBM® Lotus® to report a potential denial of service vulnerability with the Lotus Domino® Web server. The vulnerability exposes an issue with the Domino Web server when it processes an HTTP request that contains specific "Accept-Language" content.



The MWR InfoSecurity advisory can be accessed at the following link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2240

The CVE Identifier is CVE-2008-2240.


Cause

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:

  • Domino Web server task (HTTP) must be enabled
  • Attacker must be able to connect to the Domino Web server
  • Attacker must create an HTTP request that includes the vulnerable "Accept-Language" syntax
  • The Domino Web server processing the malicious request could result in a Denial of Service.

If the Domino server does crash, it could result in the following stack trace in the NSD:


nlsccstr.dll!ccSTRIOpenStrSessionInt(LNO_INFO * * phStr=0x61616161, const void * pCountry=0x61616161, const void * pLanguage=0x61616161, cctSTRCharSettag CSId=1633771873, unsigned char OptGroup='a', unsigned short * pSubstChar=0x612fb17c, cctSTRIAnchorBlockTag * pAnchorBlock=0x06054ae4, unsigned long StrSessionFlags=0) Line 898 + 0xe C 61616161()
nnotes.dll!OSGetCachedCLS(unsigned short CSID=256, char * CtryLang=0x078d146c) Line 2674 + 0x46 C
nnotes.dll!DominoUnEscape(unsigned short TokenType=1, int bLmbcsInput=0, const char * In=0x078e206f, unsigned short InLen=22, char * Out=0x07ddf078, unsigned short * OutLen=0x07ddf004, char * pLang=0x078d146c) Line 1249 + 0xe C
nnotes.dll!TranslateURITokenToLMBCS(const char * EncType=0x017a73c0, unsigned short TokenType=1, int bLmbcsInput=0, const char * In=0x078e206f, unsigned short InLen=22, char * Out=0x07ddf078, unsigned short * OutLen=0x07ddf004, char * pLang=0x078d146c) Line 406 + 0x23 C
ninotes.dll!CmdURL::DecSegmentFull(unsigned short type=1, char * segment=0x078e206f, int segmentLen=22, char * buf=0x07ddf078, int bufLen=32, int isLmbcs=0) Line 1700 + 0x2d C++
ninotes.dll!CmdURL::DecodeSegment(unsigned short type=1, char * segment=0x078e206f, int segmentLen=22, char * buf=0x07ddf078, int bufLen=32, int isLmbcs=0) Line 1595 C++
ninotes.dll!CmdURL::SetCommandId() Line 913 + 0x2b C++
ninotes.dll!CmdURL::Init(int & retIsOurs=0, unsigned int httpMethodType=2, const char * reqUrl=0x07544ee0, const char * reqPath=0x07544af0, const char * reqQuery=0x07544afc, unsigned long fl=2, unsigned short (void *, unsigned short, char *, void *, UNIVERSALNOTEID_tag *, unsigned short *, char *, int)* lookupFcn=0x014b8720, void * lookupData=0x07ddf438) Line 341 + 0xc4 C++
ninotes.dll!InotesHTTPPreAuthenticate(_InotesHTTPrequest * ihReq=0x07544690) Line 2434 + 0x78 C++
nhttpstack.dll!HTInotesRequest::PreAuthenticate() Line 758 + 0xc C++
nhttpstack.dll!HTRequestExtContainer::PreAuthenticate() Line 625 + 0x19 C++
nhttpstack.dll!HTRequest::ProcessRequest() Line 1690 + 0x21 C++
nhttpstack.dll!HTSession::StartRequest() Line 551 + 0x11 C++
nhttpstack.dll!HTWorkerThread::CheckForWork() Line 216 C++
nhttpstack.dll!HTWorkerThread::ThreadMain() Line 83 C++
nhttpstack.dll!HTThreadBeginProc(void * arg=0x02b980f4) Line 40 C++
nnotes.dll!ThreadWrapper(void * Parameter=0x00000000) Line 1037 C
kernel32.dll!7c80b683()


Answer

This issue was reported to Quality Engineering as SPR# MKIN79DR9S, and has been fixed in Domino 7.0.3 Fix Pack 1 (FP1) and 8.0.1. Refer to the Upgrade Central site for details on upgrading Notes/Domino.





Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 7.8 >
---- Impact Subscore: < 6.9 >
---- Exploitability Subscore: < 10 >
CVSS Temporal Score: < 6.1 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 6.1 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Low >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < None >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information

Document information

More support for: IBM Domino
Web Server

Software version: 6.0, 6.5, 7.0, 8.0

Operating system(s): Linux, Windows

Reference #: 1303057

Modified date: 2009-01-29