##############################################################################
#
#  IBM Lotus Domino Script Insertion and Buffer Overflow Vulnerabilities
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2007/03/29
#
#  $Revision: 1.3 $
#
#  $Log: os2a_ibm_lotus_domino_xss_bof_609201.nasl,v $
#  Revision 1.3  2007/04/17 07:04:19  gnagendra
#  -Added bid, cve-id, desc
#
#  Revision 1.2  2007/04/05 09:26:29  schandan
#  Modified regex. Issue #3912
#
#  Revision 1.1  2007/03/30 14:17:22  shraddha
#  To Production Issue #3912
#
#
#  Revision 1.1  2007/03/29 16:41:21  gnagendra
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(609201);
 script_bugtraq_id(23172, 23173, 23174);
 script_cve_id("CVE-2007-1675", "CVE-2006-4843",
	       "CVE-2007-1739");
 script_copyright(english:"Copyright (C) 2007 OS2A");
 script_version ("$Revision: 1.3 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Misc.");
 script_name(english:"IBM Lotus Domino Script Insertion and Buffer Overflow Vulnerabilities");
 script_summary(english:"Check for vulnerable version of IBM Lotus Domino");
 desc["english"] = "
 Overview : This host has IBM Lotus Domino installed, which is prone to
 multiple script insertion and buffer overflow vulnerabilities.

 These flaws are due to,
 - an input validation error in the Active Content Filter feature when 
   processing certain email messages.
 - a boundary error within the IMAP service (nimap.exe) during CRAM-MD5 
   authentication and can be exploited by passing an overly long username
   (more than 256 bytes).
 - an error in the LDAP service when handling certain requests and can be 
   exploited via a specially crafted request containing a string longer than
   65535 bytes.

 Impact : Successful exploitation allows malicious users to conduct script 
 insertion attacks, crash the service and potentially compromise a
 vulnerable system.
 
 Scope of impact is restricted to system level.

 Affected Software : IBM Lotus Domino versions prior to 6.5.6
		     IBM Lotus Domino versions prior to 7.0.2 Fix Pack 1

 Affected Platform : Any system running the affected software.

 Solution : Upgrade to IBM Lotus Domino version 6.5.6/7.0.2 Fix Pack 1 (FP1),
 	    http://www14.software.ibm.com/webapp/download/support.jsp
 
 References : http://www-1.ibm.com/support/docview.wss?uid=swg21257028
	      http://www-1.ibm.com/support/docview.wss?uid=swg21257248

 CVSS Score :
        CVSS Base Score     : 7.0 (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
        CVSS Temporal Score : 5.5
 Risk factor : High";
 script_description(english:desc["english"]);
 script_dependencies("find_service.nes", "smb_hotfixes.nasl");
 script_require_keys("SMB/WindowsVersion");
 exit(0);
}


 include("imap_func.inc");
 
 port = get_kb_item("Services/imap");
 if(!port){
        port = 143;
 }
 
 if(get_port_state(port))
 {
        dominoServer = get_imap_banner(port);
 	if("Domino IMAP4 Server" >< dominoServer)
        {
        	if(ereg(pattern:"Domino IMAP4 Server Release ([0-5]\..*|6\.(" +
			        "[0-4](\..*)?|5(\.[0-5])?)|7\.0(\.([0-1]" +
				"|2[^.F0-9]))?)[^.0-9]",
                        string:dominoServer)){
                	security_hole(port);
		}
		exit(0);
 	}
 }

 # Check LDAP port.
 port = 389;
 if(get_port_state(port))
 {
	include("ntlmv2.inc");
 	include("os2a_fileversion.inc");

 	if(!get_kb_item("SMB/WindowsVersion")){
        	exit(0);
 	}

 	dominoPath = cx_registry_get_sz(key:"SOFTWARE\Lotus\Domino",
                                        item:"Path");
        if(!dominoPath){
                exit(0);
        }
	
	soc = open_sock_tcp(smb_port);
        if(!soc){
        	exit(0);
  	}

 	share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$",
			     string:dominoPath);
 	fcnx = cx_smb_connect(soc:soc, host:smb_host, login:smb_login,
 	                      pass:smb_pass, domain:smb_domain, share:share);
 	if(fcnx == NULL)
 	{
        	close(soc);
        	exit(0);
 	}

	dominoVer = cx_getFileVersion(soc:soc, fcnx:fcnx, return_array:0,
                                      filename:dominoPath + "\nserver.exe");
 	cx_smb_close(fcnx:fcnx);
 	close(soc);

        if(dominoVer == NULL){
		exit(0); 
	}

	if(ereg(pattern:"^([0-5]\..*|6\.([0-4](\..*)?|5\.[0-5]\..*)|7\.0\.(" +
			"[0-2]0\..*))($|[^.0-9])",
                string:dominoVer)){
        	security_hole(port);
        }
 }