• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

IBM Lotus Notes Protocol Authentication Heap Corruption Denial Of Service Vulnerability

A heap corruption vulnerability has been reported for Lotus Notes and Lotus Domino. The vulnerability exists in the NotesRPC authentication protocol used by Notes clients and servers.

When authenticating against a Notes server, a client sends data regarding its DN. Manipulation of some header fields in the data packets sent to the Notes server will trigger an arithmetic error which will result in the corruption of heap memory.

An unauthenticated Notes client can exploit this vulnerability by connecting to a vulnerable Notes server and manipulating the contents of the data that is being exchanged with the server. This will trigger the overflow condition and will result in the corruption of sensitive heap memory with attacker-supplied values and lead to a denial of service condition.

This issue was originally described in BID 7036. It is now being assigned its own BID.