Buffer overflow in Lotus Domino web server before R5.0.10, when logging to DOMLOG.NSF, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP Authenticate header containing certain non-ASCII characters.
Lotus Domino web servers are vulnerable to a remote buffer overflow, allowing attackers to crash the server and potentially execute arbitrary code. Exploitation involves sending a specially crafted HTTP request with a long, non-ASCII character-containing Authenticate header, triggering a memory corruption condition. This vulnerability poses a significant risk of denial of service and remote code execution on vulnerable systems.
Step 1: Payload Delivery: An attacker crafts an HTTP request targeting the vulnerable Lotus Domino web server.
Step 2: Header Construction: The attacker includes a malicious Authenticate header in the HTTP request. This header is intentionally very long and contains specific non-ASCII characters.
Step 3: Request Processing: The Domino web server receives the HTTP request and attempts to log the Authenticate header to the DOMLOG.NSF file.
Step 4: Buffer Overflow: The server's logging mechanism copies the overly long Authenticate header into a fixed-size buffer. Because the header's length exceeds the buffer's capacity, a buffer overflow occurs.
Step 5: Memory Corruption: The overflow overwrites adjacent memory regions, corrupting program data and potentially overwriting critical control structures.
Step 6: Denial of Service/Code Execution: The memory corruption leads to either a server crash (denial of service) or, if the attacker can control the overwritten data, the execution of arbitrary code.
The vulnerability lies within the Lotus Domino web server's handling of the HTTP Authenticate header when logging to DOMLOG.NSF. Specifically, the server fails to properly validate the length of the Authenticate header before writing it to a buffer. The use of non-ASCII characters further exacerbates the issue, likely due to improper character encoding handling. This leads to a buffer overflow, where the oversized header overwrites adjacent memory regions. This memory corruption can lead to a server crash (denial of service) or, in a more sophisticated attack, allow an attacker to overwrite critical program data and execute arbitrary code. The root cause is a lack of bounds checking on the input data before it is written to a fixed-size buffer. The use of non-ASCII characters likely contributes to the overflow by potentially increasing the effective size of the header due to encoding differences.