IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow Vulnerability

Bugtraq ID:	23172
Class:	Boundary Condition Error
CVE:	CVE-2007-1675
Remote:	Yes
Local:	No
Published:	Mar 27 2007 12:00AM
Updated:	Dec 18 2007 08:06PM
Credit:	The Zero Day Initiative reported this issue to IBM.
Vulnerable:	IBM Lotus Domino 7.0.2 IBM Lotus Domino 7.0.1 IBM Lotus Domino 7.0 IBM Lotus Domino 6.5.5 FP2 IBM Lotus Domino 6.5.5 FP1 IBM Lotus Domino 6.5.5 IBM Lotus Domino 6.5.4 FP 2 IBM Lotus Domino 6.5.4 FP 1 IBM Lotus Domino 6.5.4 IBM Lotus Domino 6.5.3 IBM Lotus Domino 6.5.2 IBM Lotus Domino 6.5.1 IBM Lotus Domino 6.5 .0
Not Vulnerable:	IBM Lotus Domino 7.0.2 FP1 IBM Lotus Domino 6.5.6

IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow Vulnerability

IBM Lotus Domino Server is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow Vulnerability

The following exploit is available to members of the Immunity Partner's program:

https://www.immunityinc.com/downloads/immpartners/domino_cram

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploits are also available:

• /data/vulnerabilities/exploits/Lotus Domino IMAP_Username_DoS_Rexp.py
• /data/vulnerabilities/exploits/23172.py
• /data/vulnerabilities/exploits/23172July20th2007.py

IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow Vulnerability

Solution:
The vendor has released fixes for this issue. Please see the referenced advisory for more information.

IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow Vulnerability

References:

• 1257028 - IBM Lotus Domino IMAP Server Buffer Overflow Vulnerability (IBM)
  
• IBM Homepage (IBM)
  
• Lotus Domino Product Homepage (IBM)
  
• ZDI-07-011: IBM Lotus Domino IMAP Server CRAM-MD5 Authentication Buffer Overflow (ZDI)
  
• ZDI-07-011: IBM Lotus Domino IMAP Server CRAM-MD5 Authentication Buffer Overflow (ZDI)