Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

IBM Lotus Domino Accept-Language Buffer Overflow Vulnerability
Date Discovered: 05/26/2008
Severity: High
Applications Affected: IBM Lotus Domino 8.0
IBM Lotus Domino 6.0
IBM Lotus Domino 6.5.0
IBM Lotus Domino 7.0
IBM Lotus Domino 7.0.3
Type Remote
Identifiers CVE-2008-2240
BID-29310
Vendor IBM, Inc.
Synopsis
IBM Lotus Domino can allow users to gain web based access to email and other Notes Databases. A vulnerability was identified in the code responsible for handling the HTTP header information provided by a user's browser.

The Accept Language field was discovered to be taken from the HTTP header in the request and processed by the web server. By sending a specially-crafted HTTP GET request with an overly long "Accept-Language" header, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
Recommended Actions
Update with latest stable version.
http://www-1.ibm.com/support/docview.wss?uid=swg21303057
Threat Analysis
IBM Lotus Domino can allow users to gain web based access to email and other Notes Databases. Notes Databases can be accessed using the HTTP protocol through the Lotus Domino web server in a similar manner to any other web enabled technology.The Accept Language field was discovered to be taken from the HTTP header in the request and processed by the web server. By sending a specially-crafted HTTP GET request with an overly long "Accept-Language" header, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.

A remote attacker can use an HTTP 1.1 request containing the GET method, a URL containing specific parameters, a valid Host header and a suitably crafted "Accept-Language" header. A total of 118 bytes are required after the data passed in the affected HTTP header to completely overwrite the return address of the affected function. It is important to avoid the character 0x0a in the shellcode as this will be interpreted as a new line in the HTTP header.
References

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2240
http://www.securityfocus.com/bid/29310
http://secunia.com/advisories/30332

Write-up by: Rajesh Rawal
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Product Division of Tech Mahindra Limited | Privacy Policy | Site Map