MS-ISAC Advisory #2008-020 (5/21/2008) - Vulnerability in IBM Lotus Domino Web Server Could Allow Remote Code Execution -

MS-ISAC ADVISORY NUMBER:
2008-020

DATE(S) ISSUED:
5/21/2008

SUBJECT:
Vulnerability in IBM Lotus Domino Web Server Could Allow Remote Code Execution

OVERVIEW:
IBM Lotus Domino is a web server application used to host web sites. A vulnerability has been discovered in the IBM Lotus Domino Web Server that could allow a remote attacker to take complete control of the system. Successful exploitation of this vulnerability will allow an attacker to inject malicious code into the application, thereby allowing the attacker to take control of a vulnerable system and perform actions such as install programs, view, change, and delete data, and create user accounts.

Failed exploits could lead to a denial of service condition.

SYSTEMS AFFECTED:

IBM Lotus Domino 6.0.0
IBM Lotus Domino 6.5.0 .0
IBM Lotus Domino 7.0.0
IBM Lotus Domino 7.0.3
IBM Lotus Domino 8.0

RISK:

Government:

Large and medium government entities: High
Small government entities: High

Businesses:

Large and medium business entities: High
Small business entities: High

Home users: N/A

DESCRIPTION:
A vulnerability has been discovered in the IBM Lotus Domino Web Server which allows an attacker to execute arbitrary code on an affected system. The application is prone to a buffer overflow vulnerability due to the in-adequate boundary checks on user supplied data. This vulnerability can be exploited when the application processes the HTTP headers and is exploited by sending a long 'Accept Language' in the HTTP GET request. A total of 118 additional bytes is required after the data being passed in the affected HTTP header to completely overwrite the return address of the affected function. The remote attacker can execute arbitrary code within the context of the affected application which would run with elevated system privileges.

No additional user interaction is required for this exploit to be successful.

Additionally if the attacker is unsuccessful to exploit this vulnerability, these failed attempts could result in a Denial of Service condition on the affected system.

Currently, there is no known proof of concept code available to the public.

IBM has released patches that address this vulnerability.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by IBM to vulnerable systems immediately after appropriate testing. Information regarding the patches can be located at: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21303057

REFERENCES:

SecurityFocus:
http://www.securityfocus.com/bid/29310/info

IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057

Secunia:
http://secunia.com/advisories/30310/

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2240

MWR InfoSecurity:
http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-accept-language-stack-overflow_2008-05-20.pdf

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.

MS-ISAC

Multi-State Information Sharing and Analysis Center

Alert Level: