IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow - Nessus

High   Plugin ID: 53534

---

This page contains detailed information about the IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 53534
Name: IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow
Filename: lotus_domino_icalendar_safe.nasl
Vulnerability Published: 2010-09-14
This Plugin Published: 2011-04-22
Last Modification Time: 2018-11-15
Plugin Version: 1.16
Plugin Type: remote
Plugin Family: SMTP problems
Dependencies: smtpserver_detect.nasl

Vulnerability Information

---

Severity: High
Vulnerability Published: 2010-09-14
Patch Published: 2010-09-14
CVE [?]: CVE-2010-3407
CPE [?]: cpe:/a:ibm:lotus_domino

Synopsis

The remote mail service is affected by a remote stack-based buffer overflow vulnerability.

Description

According to its self-reported version, the remote SMTP service is an instance of IBM Lotus Domino that is is affected by a remote stack-based buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the 'nrouter.exe' Lotus Domino server process. Failed attacks will cause denial of service conditions.

Solution

Upgrade to IBM Lotus Domino 8.0.2 FP5 / 8.5.1 FP2 / 8.5.2 or later.

Public Exploits

---

Target Network Port(s): 25
Target Asset(s): Services/smtp
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow vulnerability:

1. Metasploit: exploit/windows/lotus/domino_icalendar_organizer
   [IBM Lotus Domino iCalendar MAILTO Buffer Overflow]
2. Exploit-DB: exploits/windows/remote/17151.rb
   [EDB-17151: IBM Lotus Domino iCalendar - MAILTO Buffer Overflow (Metasploit)]
3. Immunity Canvas: D2ExploitPack

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	7.7 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.7 (High)

Go back to menu.

Plugin Source

---

This is the lotus_domino_icalendar_safe.nasl nessus plugin source code. This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(53534);
  script_version("1.16");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_cve_id("CVE-2010-3407");
  script_bugtraq_id(43219);

  script_name(english:"IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow");
  script_summary(english:"Checks version in Lotus Domino's SMTP banners");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote mail service is affected by a remote stack-based buffer
overflow vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its self-reported version, the remote SMTP service is an
instance of IBM Lotus Domino that is is affected by a remote
stack-based buffer overflow vulnerability because it fails to perform
adequate boundary checks on user-supplied input.

Successfully exploiting this issue may allow remote attackers to
execute arbitrary code in the context of the 'nrouter.exe' Lotus
Domino server process.  Failed attacks will cause denial of service
conditions."
  );
   # http://www-10.lotus.com/ldd/fixlist.nsf/8d1c0550e6242b69852570c900549a74/613a204806e3f211852576e2006afa3d?OpenDocument
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?a5dee6ba"
  );
   # http://www-10.lotus.com/ldd/fixlist.nsf/8d1c0550e6242b69852570c900549a74/af36678d60bd74288525778400534d7c?OpenDocument
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?d7d5efdc"
  );
   # http://www-01.ibm.com/software/lotus/products/domino/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6fa36abe"
  );
   # http://www-10.lotus.com/ldd/fixlist.nsf/8d1c0550e6242b69852570c900549a74/52f9218288b51dcb852576c600741f72?OpenDocument
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?8072500a"
  );
   # http://www-01.ibm.com/support/docview.wss?uid=swg21446515
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b1c391a1"
  );
   # http://labs.mwrinfosecurity.com/assets/159/mwri_lotus-domino-ical-stack-overflow_2010-09-14.pdf
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?cd9e7c99"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to IBM Lotus Domino 8.0.2 FP5 / 8.5.1 FP2 / 8.5.2 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'IBM Lotus Domino iCalendar MAILTO Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/09/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:ibm:lotus_domino");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smtpserver_detect.nasl");
  script_require_ports("Services/smtp", 25);

  exit(0);
}

include("global_settings.inc");
include("smtp_func.inc");
include("misc_func.inc");

version = NULL;
vulnerable = FALSE;

port = get_service(svc:'smtp', default:25, exit_on_fail:TRUE);

banner = get_smtp_banner(port:port);
if (!banner) exit(1, "The SMTP server listening on port "+port+" did not return a banner.");
if (" ESMTP Service " >< banner && "(Lotus Domino" >< banner)
{
  items = eregmatch(pattern:"ESMTP Service \(Lotus Domino Release (.*)\)", string:banner);
  if (items)
  {
    version = items[1];
  }
}
else exit(0, "The SMTP server listening on port "+port+" is not Lotus Domino.");

if (version)
{
  major = 0;
  minor = 0;

  if ("FP" >< version)
  {
    sp_ver = split(version, sep:"FP", keep:FALSE);
    ver = sp_ver[0];
    fp = int(sp_ver[1]);
  }
  else
  {
    ver = version;
    fp = 0;
  }

  ver_maj_min = split(ver, sep:".", keep:FALSE);
  major = int(ver_maj_min[0]);
  minor = int(ver_maj_min[1]);
  if ( major == 0 ) exit(1, "Could not parse the banner "+banner+" on port "+port);

  if(!isnull(ver_maj_min[2]))
  {
    build = int(ver_maj_min[2]);
  }
  else
  {
    build = 0;
  }

  #Versions Not Vuln, Everything else is vuln and wont be patched.
  #8.0.2 FP5, 8.5.2, 8.5.1 FP2
  if (
    (major > 8) ||
    (major == 8 && minor == 0 && build == 2 && fp >= 5) ||
    (major == 8 && minor == 5 && build >= 2 && fp >= 0) ||
    (major == 8 && minor == 5 && build == 1 && fp >= 2) ||
    (major == 8 && minor >= 6)
    )
    {
      vulnerable = FALSE;
    }
  else 
      vulnerable = TRUE;
}

if (vulnerable == TRUE)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Banner            : ' + banner +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 8.0.2 FP5 / 8.5.1 FP2 / 8.5.2\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);

}
else exit(0, "Lotus Domino "+version+" is listening on port "+port+" and not affected.");

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/lotus_domino_icalendar_safe.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\lotus_domino_icalendar_safe.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/lotus_domino_icalendar_safe.nasl

Go back to menu.

How to Run

---

Here is how to run the IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select SMTP problems plugin family.
6. On the right side table select IBM Lotus Domino iCalendar Email Address ORGANIZER:mailto Header Remote Overflow plugin ID 53534.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl lotus_domino_icalendar_safe.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a lotus_domino_icalendar_safe.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - lotus_domino_icalendar_safe.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state lotus_domino_icalendar_safe.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 43219

See also:

• https://www.tenable.com/plugins/nessus/53534
• http://www.nessus.org/u?6fa36abe
• http://www.nessus.org/u?8072500a
• http://www.nessus.org/u?a5dee6ba
• http://www.nessus.org/u?b1c391a1
• http://www.nessus.org/u?cd9e7c99
• http://www.nessus.org/u?d7d5efdc
• https://vulners.com/nessus/LOTUS_DOMINO_ICALENDAR_SAFE.NASL

Similar and related Nessus plugins:

• 70743 - IBM Domino 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities
• 73969 - IBM Domino 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities (credentialed check)
• 71861 - IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (credentialed check)
• 61487 - IBM Lotus Notes < 8.5.3 FP2 URL Handler Unspecified Remote Code Execution
• 70744 - IBM Notes 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities
• 73970 - IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities
• 66944 - IBM Notes PNG Integer Overflow
• 59685 - IBM Lotus iNotes Upload Module ActiveX Control Attachment_Times() Method Buffer Overflow
• 70103 - IBM Lotus Sametime Multiplexer Buffer Overflow
• 32433 - IBM Lotus Domino < 8.0.1 / 7.0.3 FP1 Multiple Vulnerabilities
• 66239 - IBM Lotus Domino 8.5.x < 8.5.3 Multiple Vulnerabilities
• 19309 - IBM Lotus Domino HTML Hidden Field Encrypted Password Disclosure
• 24903 - IBM Lotus Domino IMAP Server (nimap.exe) CRAM-MD5 Authentication Remote Overflow
• 29801 - IBM Lotus Domino Web Access ActiveX Control Buffer Overflow Vulnerabilities
• 54922 - IBM Lotus Notes Attachment Handling Multiple Buffer Overflows
• 27534 - Lotus Notes Client < 7.0.3 / 8.0.1 Multiple Overflows
• 30123 - Citadel SMTP makeuserkey Function RCPT TO Command Remote Overflow
• 11889 - Exchange XEXCH50 Remote Buffer Overflow
• 107149 - Exim < 4.90.1 Buffer Overflow RCE Vulnerability
• 129470 - Exim 4.92.x < 4.92.3 Heap Buffer Overflow
• 51179 - Exim string_format Function Remote Overflow
• 22314 - Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow
• 12065 - ASN.1 Multiple Integer Overflows (SMTP check)
• 15902 - MailCarrier < 3.0.1 SMTP EHLO Command Remote Overflow
• 25928 - Mercury SMTP Server AUTH CRAM-MD5 Remote Buffer Overflow
• 11499 - Sendmail < 8.12.9 NOCHAR Control Value prescan Overflow
• 11316 - Sendmail headers.c crackaddr Function Address Field Handling Remote Overflow
• 11838 - Sendmail < 8.12.10 prescan() Function Remote Overflow
• 11593 - SLMail < 5.1.0.4433 Multiple Command Remote Overflows

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file lotus_domino_icalendar_safe.nasl version 1.16. For more plugins, visit the Nessus Plugin Library.

Go back to menu.