(0Day) IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability
2011-02-07T00:00:00
ID ZDI-11-045 Type zdi Reporter Anonymous Modified 2011-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability. The specific flaw exists within the POP3 and IMAP services while processing malformed e-mails. The vulnerable code expands specific non-printable characters within a "mail from" command without allocating adequate space. By providing enough of these characters, memory can be corrupted leading to arbitrary code execution under the context of the SYSTEM user.
{"enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0919"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902419"]}], "modified": "2020-06-22T11:40:53", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2020-06-22T11:40:53", "rev": 2}, "vulnersScore": 8.2}, "edition": 3, "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-045/", "modified": "2011-06-22T00:00:00", "published": "2011-02-07T00:00:00", "description": "This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability. The specific flaw exists within the POP3 and IMAP services while processing malformed e-mails. The vulnerable code expands specific non-printable characters within a \"mail from\" command without allocating adequate space. By providing enough of these characters, memory can be corrupted leading to arbitrary code execution under the context of the SYSTEM user.", "bulletinFamily": "info", "viewCount": 2, "title": "(0Day) IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability", "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg21461514"], "cvelist": ["CVE-2011-0919"], "type": "zdi", "id": "ZDI-11-045", "lastseen": "2020-06-22T11:40:53", "reporter": "Anonymous", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:39:25", "description": "Multiple stack-based buffer overflows in the (1) POP3 and (2) IMAP services in IBM Lotus Domino allow remote attackers to execute arbitrary code via non-printable characters in an envelope sender address, aka SPR KLYH87LLVJ.", "edition": 3, "cvss3": {}, "published": "2011-02-08T22:00:00", "title": "CVE-2011-0919", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0919"], "modified": "2018-10-09T19:29:00", "cpe": ["cpe:/a:ibm:lotus_domino:*"], "id": "CVE-2011-0919", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0919", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:lotus_domino:*:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:39:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0916", "CVE-2011-0920", "CVE-2011-0919", "CVE-2011-0918"], "description": "The host is running IBM Lotus Domino Server and is prone to\n multiple vulnerabilities.", "modified": "2018-10-20T00:00:00", "published": "2011-05-09T00:00:00", "id": "OPENVAS:1361412562310902419", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902419", "type": "openvas", "title": "IBM Lotus Domino Multiple Remote Buffer Overflow Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ibm_lotus_domino_mult_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# IBM Lotus Domino Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:ibm:lotus_domino';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902419\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-09 15:38:03 +0200 (Mon, 09 May 2011)\");\n script_cve_id(\"CVE-2011-0916\", \"CVE-2011-0918\", \"CVE-2011-0919\", \"CVE-2011-0920\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"IBM Lotus Domino Multiple Remote Buffer Overflow Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_lotus_domino_detect.nasl\");\n script_mandatory_keys(\"Domino/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation may allow remote attackers to execute\n arbitrary code in the context of the Lotus Domino server process or bypass authentication.\");\n script_tag(name:\"affected\", value:\"IBM Lotus Domino versions 8.5.3 prior\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Stack overflow in the SMTP service, which allows remote attackers to\n execute arbitrary code via long arguments in a filename parameter in a\n malformed MIME e-mail message.\n\n - Buffer overflow in nLDAP.exe, which allows remote attackers to execute\n arbitrary code via an LDAP Bind operation.\n\n - Stack overflow in the NRouter service, which allows remote attackers to\n execute arbitrary code via long filenames associated with Content-ID and\n ATTACH:CID headers in attachments in malformed calendar-request e-mail\n messages.\n\n - Multiple stack overflows in the POP3 and IMAP services, which allows\n remote attackers to execute arbitrary code via non-printable characters\n in an envelope sender address.\n\n - The Remote Console, when a certain unsupported configuration involving UNC\n share pathnames is used, allows remote attackers to bypass authentication\n and execute arbitrary code via unspecified vectors.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 8.5.2 FP3 or 8.5.3 or later.\");\n script_tag(name:\"summary\", value:\"The host is running IBM Lotus Domino Server and is prone to\n multiple vulnerabilities.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/43247\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/43224\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-045/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-049/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-047/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-046/\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21461514\");\n script_xref(name:\"URL\", value:\"http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=23&Itemid=23\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/software/lotus/products/domino\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\"); # Used in get_highest_app_version\ninclude(\"host_details.inc\");\n\nif( ! vers = get_highest_app_version( cpe:CPE ) ) exit( 0 );\n\nvers = ereg_replace(pattern:\"FP\", string:vers, replace: \".FP\");\n\nif( version_is_less( version:vers, test_version:\"8.5.2.FP3\" ) ) {\n report = report_fixed_ver( installed_version: vers, fixed_version:\"8.5.2 FP3/8.5.3\" );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
