Vulnerabilities > CVE-2008-2499 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Lotus Sametime

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

ibm

CWE-119

nessus

exploit available

metasploit

NVD

Published: 2008-05-29

Updated: 2018-10-31

Summary

Stack-based buffer overflow in the Community Services Multiplexer (aka MUX or StMux.exe) in IBM Lotus Sametime 7.5.1 CF1 and earlier, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code via a crafted URL.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM Lotus Sametime - IBM Lotus Sametime 1.5 IBM Lotus Sametime 2.5 IBM Lotus Sametime 7.0 IBM Lotus Sametime 7.5 IBM Lotus Sametime 7.5.1 IBM Lotus Sametime 8.0	7

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow. CVE-2008-2499. Remote exploit for windows platform
id	EDB-ID:16696
last seen	2016-02-02
modified	2010-05-09
published	2010-05-09
reporter	metasploit
source	https://www.exploit-db.com/download/16696/
title	IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow

description	IBM Lotus Sametime 8.0 Multiplexer Buffer Overflow Vulnerability. CVE-2008-2499. Remote exploit for unix platform
id	EDB-ID:31820
last seen	2016-02-03
modified	2008-05-21
published	2008-05-21
reporter	Manuel Santamarina Suarez
source	https://www.exploit-db.com/download/31820/
title	IBM Lotus Sametime <= 8.0 - Multiplexer Buffer Overflow Vulnerability

Metasploit

description	This module exploits a stack buffer overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.
id	MSF:EXPLOIT/WINDOWS/LOTUS/DOMINO_SAMETIME_STMUX
last seen	2020-06-12
modified	2017-11-08
published	2008-11-14
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2499
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/lotus/domino_sametime_stmux.rb
title	IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow

Nessus

NASL family	Misc.
NASL id	LOTUS_SAMETIME_STMUX_BUFFER_OVERFLOW.NASL
description	The version of Lotus Sametime STMux.exe on the remote host is prone to a remote stack-based buffer overflow attack because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
last seen	2020-06-01
modified	2020-06-02
plugin id	70103
published	2013-09-24
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/70103
title	IBM Lotus Sametime Multiplexer Buffer Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70103); script_version("1.7"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2008-2499"); script_bugtraq_id(29328); script_name(english:"IBM Lotus Sametime Multiplexer Buffer Overflow"); script_summary(english:"Checks retrieved version"); script_set_attribute( attribute:"synopsis", value: "The remote server hosts an application that contains a buffer overflow vulnerability." ); script_set_attribute( attribute:"description", value: "The version of Lotus Sametime STMux.exe on the remote host is prone to a remote stack-based buffer overflow attack because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer." ); script_set_attribute(attribute:"solution", value:"Upgrade to version 7.5.1CF2 / 8.0.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/21"); script_set_attribute(attribute:"patch_publication_date", value:"2008/06/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_sametime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("lotus_sametime_detect.nasl"); script_require_keys("www/lotus_sametime"); script_require_ports("Services/www", 80, 8032, 1533); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80); get_kb_item_or_exit("www/lotus_sametime/" + port + "/installed"); version = get_kb_item_or_exit("www/lotus_sametime/" + port + "/version"); # Check that version is formatted correctly. if (version !~ "^[0-9]+(?:\.[0-9]+)+[a-zA-Z0-9]*$") audit(AUDIT_UNKNOWN_WEB_APP_VER, 'IBM Lotus Sametime', build_url(qs:'/', port:port)); # Check for additional info at end of version. # If it is a CF then use that as part of the version # comparison. cf = FALSE; sub_version = eregmatch(pattern:"^[0-9]+(?:\.[0-9]+)+([a-zA-Z0-9]+)$", string:version); if (max_index(sub_version) == 2) { sub_version = sub_version[1]; version = str_replace(string:version, find:sub_version, replace:''); if (sub_version =~ "^CF[0-9]+$") cf = TRUE; } # IBM version info https://www-304.ibm.com/support/docview.wss?uid=swg21098628 vuln = FALSE; # fixed 7.5.1CF2 if (ver_compare(ver:version, fix:'7.5.1', strict:FALSE) == 0) { if (!cf \|\| sub_version == "CF1") vuln = TRUE; } # Fixed 8.0.1 or higher else if (ver_compare(ver:version, fix:'8.0.1', strict:FALSE) == -1) { vuln = TRUE; } if (vuln) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + sub_version + '\n Fixed version : 7.5.1CF2 / 8.0.1' + '\n'; security_hole(port: port, extra: report); } else security_hole(port); } else audit(AUDIT_LISTEN_NOT_VULN, "IBM Lotus Sametime", port, version + sub_version);

Packetstorm

data source	https://packetstormsecurity.com/files/download/83226/domino_sametime_stmux.rb.txt
id	PACKETSTORM:83226
last seen	2016-12-05
published	2009-11-26
reporter	patrick
source	https://packetstormsecurity.com/files/83226/IBM-Lotus-Domino-Sametime-STMux.exe-Stack-Overflow.html
title	IBM Lotus Domino Sametime STMux.exe Stack Overflow

Saint

bid	29328
description	IBM Lotus Sametime Community Services Multiplexer buffer overflow
id	web_server_lotus_sametimehttp
osvdb	45610
title	lotus_sametime_multiplexer
type	remote

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Nessus

Packetstorm

Saint

References