OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: L0pht Advisory: Lotus Note Vulnerability

L0pht Advisory: Lotus Note Vulnerability

Aleph One (aleph1DFW.NET)
Wed, 5 Aug 1998 10:36:27 -0500

http://www.l0pht.com/advisories/nny.txt

`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
                 L0pht Security Advisory
    URL Origin:  http://www.l0pht.com/advisories.html
  Release Date:  July 31, 1998   Application:  Notes 4.6+ Client
 Operating Sys:  Any
      Severity:  Users can overwrite/create system files
        Author:  nny <nnyl0pht.com>
  Patch Status:  Lotus has been made aware of this vulnerabilities
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'

I. Description

The L0pht has received reports regarding a vulnerability in some
implementations of Lotus Domino via the Notes Client. Information about
this vulnerability has been posted to various public mailing lists and
newsgroups.

Versions 4.6+ of the Lotus Notes Client appear to be vulnerable; lower
version may also be vulnerable but at this time are untested.  The
vulnerability affects companys that use Lotus Notes primarily for
development purposes or as an Intranet. Also any servers that were
distributed with the Lotus Notes Client that are not running the HTTPD
task by default are vulnerable.  Note: This assumes Domino servers have
been patched due to previous advisory.

Additionally, previous vulnerabilities, such as the one presented by
mattwl0pht.com (Web users can write to remote server drives and change
server configuration files), now come into play once more with the
addition of the vulnerability in the Notes Client. No new vulnerability
exists in Lotus Domino that run the HTTP task by default.

II. Impact

Remote intruders can potentially retreive: in development databases,
confidential company records, etc etc. All of the above can be achieved by
connecting to a vulnerable Notes Client.

IIa. To Test

>From within Lotus Notes 4.6+ Client:
1. Open any given database
2. Click Actions -> Preview in Web Browser

This should have launched your designated web browser and connected to
http://199.99.99.99/database or something similar. Even though you only
have the Notes Client installed on the machine and not the server, the
HTTPD task is now running and accepting connections on port 80. Thus
anyone on the Internet could then do http://199.99.99.99/domcfg.nsf/?open
or even http://199.99.99.99 (to get a listing of the available
databases). Subsequently you could open the log and see the database(s)
the given user was recently accessing or modifying.

>From this point you can search around and basically manipulate documents
that do a wide variety of things. Domino URL commands (which can be used
to edit, delete, and manipulate files via the web) can be found in all
documentation as well as at:
http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe
1852564b5005e8419

Note: Once the Notes Client is closed the HTTPD task is also.

III. Solution

ACLs need to be edited manually by a competent admin to be ensured of
security.  Take, for example, if domlog.nsf could be read, that alone is
a security breech.

Workaround
Setup routing filters to dissallow access to the http port of
Notes Client only machines.

--------------------------------------------------------------------------

The authoritative version of this file is at:
http://www.l0pht.com/advisories.html