Lotus Domino LDAP Message Remote Denial of Service Vulnerability
BID:17669
Info
Lotus Domino LDAP Message Remote Denial of Service Vulnerability
| Bugtraq ID: | 17669 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 24 2006 12:00AM |
| Updated: | Jan 14 2010 10:51PM |
| Credit: | Discovered by Evgeny Legerov. |
| Vulnerable: |
IBM Lotus Domino 8.0.1 IBM Lotus Domino 7.0.3 Fix Pack 1 (FP1) IBM Lotus Domino 7.0.3 IBM Lotus Domino 7.0.2 FP3 IBM Lotus Domino 7.0.2 FP2 IBM Lotus Domino 7.0.2 FP1 IBM Lotus Domino 7.0.2 IBM Lotus Domino 7.0.1 IBM Lotus Domino 7.0 IBM Lotus Domino 8.5 FP1 IBM Lotus Domino 8.5 IBM Lotus Domino 8.0.2.1 IBM Lotus Domino 8.0 |
| Not Vulnerable: | |
Discussion
Lotus Domino LDAP Message Remote Denial of Service Vulnerability
Lotus Domino LDAP server is prone to a remote denial-of-service vulnerability when handling malformed requests.
Lotus Domino 7.0 is vulnerable; earlier versions may also be affected.
UPDATE (January 14, 2010): This issue is reported to be caused by a heap-based buffer-overflow vulnerability. A proof of concept is available. Lotus Domino 8.5 Fixpack 1 is also vulnerable.
Lotus Domino LDAP server is prone to a remote denial-of-service vulnerability when handling malformed requests.
Lotus Domino 7.0 is vulnerable; earlier versions may also be affected.
UPDATE (January 14, 2010): This issue is reported to be caused by a heap-based buffer-overflow vulnerability. A proof of concept is available. Lotus Domino 8.5 Fixpack 1 is also vulnerable.
Exploit / POC
Lotus Domino LDAP Message Remote Denial of Service Vulnerability
The ProtoVer LDAP test suite may be used to exploit this issue. It is unknown whether a version of the test suite that includes the test case that triggers this issue is publicly available at this time.
The following proof of concept is available:
The ProtoVer LDAP test suite may be used to exploit this issue. It is unknown whether a version of the test suite that includes the test case that triggers this issue is publicly available at this time.
The following proof of concept is available:
Solution / Fix
Lotus Domino LDAP Message Remote Denial of Service Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]
References
Lotus Domino LDAP Message Remote Denial of Service Vulnerability
References:
References:
- Lotus Domino 7 (probably 8) LDAP heap overflow (Evgeny Legerov)
- Lotus Domino Product Homepage (IBM)
- Notes/Domino Downloads (IBM)
- ProtoVer LDAP: testing Lotus Domino Server 7.0 (Evgeny Legerov