PRL-2011-03

#####################################################################################

Application:   IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability

Platforms:   Windows

Exploitation:   Remote code execution

CVE Number:

ZDI number:   ZDI-11-047

{PRL}:   2011-03

Author:   Francis Provencher (Protek Research Lab’s)

WebSite:   http://www.protekresearchlab.com/

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Lotus Domino is an IBM server product that provides enterprise-grade e-mail,

collaboration capabilities, and a custom application platform. Domino began

life as Lotus Notes Server, the server component of Lotus Development Corporation’s

client-server messaging technology. It can be used as an application server for

Lotus Notes applications and/or as a web server. It also has a built-in database

system in the format of NSF. Its directory services can be used for authentication

purposes as well.

(http://en.wikipedia.org/wiki/IBM_Lotus_Domino)

#####################################################################################

============================
2) Report Timeline
============================

2010-07-20 – Vulnerability reported to vendor
2011-02-07 – Coordinated public release of advisory

#####################################################################################

====================
3) Technical details
====================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable

installations of IBM Lotus Domino. Authentication is not required to exploit this

vulnerability. The flaw exists within the nLDAP.exe component which listens by

default on TCP port 389. When handling the an LDAP Bind Request packet the process

blindly copies user supplied data into an undersized shared memory buffer.

A remote attacker can exploit this vulnerability to execute arbitrary code under

the context of the SYSTEM user.

#####################################################################################

===========
4) POC
===========

Here

###############################################################################