OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Felix Grushevsky (filVIADUK.NET)
Date: Fri Feb 09 2001 - 21:06:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Lotus Notes has a security protection measure called ECL - Execution
    Control List.
    Basically, every executable design element (form, agent, database etc) in
    Lotus Notes has a signature on it. The signature tells Notes about the last
    person who changed this design element.
    The ECL determines whether the signer of the code is allowed to have its
    code run on a given workstation, and defines the extent to which the code
    has access to various workstation functions and is gated by the workstation
    security ECL.
    Basically, in your example you did not have ECL configured - so configure
    it and do your testing again.

    see also
    http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument

    Best Regards,
    Feliks Grushevskiy

    Chris Jones <dpic-crypt.com>SECURITYFOCUS.COM> on 09.02.2001 18:13:29

    Please respond to dpic-crypt.com
    Sent by: Bugtraq List <BUGTRAQSECURITYFOCUS.COM>

    To: BUGTRAQSECURITYFOCUS.COM
    cc:

    Subject: Lotus Notes Stored Form Vulnerability

    _________________________________________________________________________

      Security Advisory: Lotus Notes Stored Form Vulnerability
      Date: 8th February 2001
      Author: Chris Jones (aka dp) dpic-crypt.com
      Versions Affected: At present only Lotus Notes v4.6 has been tested
    _________________________________________________________________________

    ----[ Exploit Introduction ] ------------------------------------------
    Due to the design flaws of Lotus Notes databases, a user with sufficient
    knowledge can craft a Lotus Notes Email in such a way that the recipient
    only has to open the email or view the email using the preview panes to
    become infected or to run the arbitrary code.

    The problem lies in Lotus Notes ability to allow developers to create forms
    that do not rely on a specific template in a database (like normal emails)
    but instead uses its own in built templates that travel within the
    document. Using these methods an experienced Lotus Notes developer could
    create an email enabled worm specifically for Lotus Notes networks. Which
    could do anything from delete a few files to granting ACL rights to the
    persons mail box (so all emails could be viewed) to retrieving the users
    cached passwords or similar information. Another key point that allows this
    exploit to occur is that the design of the mailbox database has by default
    been allowed to accept stored forms.

    ----[ Exploit Generation ] ---------------------------------------------
    To generate the email a malicious user will need to modify the default
    'memo' form's design - which does require a developer's edition of Lotus
    Notes. The malicious user then has to modify the forms' properties so the
    'Store form in Document' action is checked. The malicious user then has a
    choice he could insert code into the forms 'PostOpen' event, which requires
    Lotus Script programming knowledge or he can go the easy method and modify
    the forms 'Launch' properties which allows you to launch the first document
    attachment when opened which could be absolutely anything.

    ----[ Quick Fix ] ------------------------------------------------------
    There is a very quick and very easy method of disabling this feature and
    that is to modify the mailbox database properties so that the 'Allow stored
    forms' is unchecked. This will stop any forms of this attack.

    ----[ Platforms Tested ] -----------------------------------------------
    We tested this exploit out using Lotus Notes version 4.6 but any version of
    Lotus Notes 4 should be affected, as I am sure lower and higher versions
    would be as well. In our experiment I was able to gain manager access to
    someone else's Email Box using 4 Lines of Lotus Script code.

    ----[ Other Notes ] ----------------------------------------------------
    Using Lotus Script you can even change the source address of the email to
    fool the user into believing that the infected email came from a trusted
    source. You could even go so far as to code the email so it looks at the
    target's mailbox and creates a duplicate document of his most recent email,
    so it looks as some other user has sent him two copies of the same email.

    _________________________________________________________________________
    - www.progenic.com -
    _________________________________________________________________________

    _____________________________________________________________
    IC-CRYPT.com - Enhancing Communications Since 1998