NGSSoftware Insight Security Research Advisory

Name: Lotus Domino Web Administrator Template ReplicaID Access
Systems Affected: Lotus Domino 5.x on all operating systems
Severity: High Risk
Vendor URL: http://www.lotus.com/
Author: David Litchfield (davidnextgenss.com)
Date: 29th October 2001
Advisory number: #NISR29102001A

Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web
services that allow users to interact with Lotus Notes databases.

NISR have discovered a feature of Domino's web server that allows an
anonymous user to access the Web Administrator template file
(webadmin.ntf) and use some of its functionality. Normally webadmin.ntf
should not be accessible and as such this poses a high security threat
to systems running Lotus Domino.

Details
*******
Lotus Notes Databases can have one of several file extensions such as
.nsf, .ns4 or .box and when the Domino web server receives a client
request it examines the request to decide if it is for a Notes database
file. If it is Domino for looks for the file in the \lotus\domino\data
directory; if it is not Domino looks in another directory:
\lotus\domino\data\domino\html. Some Notes databases are derived from
template files that have a .ntf file extension. These template files
exist in the same directory as their .nsf children; However, making a
request for a template file causes Domino to search in the latter
directory, but as they exist in the former, the web server fails to find
the file and returns a File Not Found (404) reply.

Another way to make a request for a database resource is to use the
database's ReplicaID. A ReplicaID is a 16 digit hexadecimal number that
is use to track concurrent copies of the same database over different
systems. It is therefore possible for a user to access a Notes database
template file by making a request to the web server using the template's
ReplicaID. Of all the templates only the Web Administrator template file
seems to be dangerous. Anonymous users can read any text based file on
the system that Domino has the permission to access as well as enumerate
all databases on the system. If the Domino web service process is
running as root or SYSTEM then an attacker would not be limited to the
files they could access. This problem is further exacerbated by the fact
that the webadmin.ntf ReplicaID is the same on every system running
Domino meaning that once an attacker has the ReplicaID then they will be
able to access the Web Administrator running on any Domino system.

Fix Information
***************
The best course of action is to remove the Web Administrator template
from the system. You should also consider removing the real Web
Administrator, webadmin.nsf as if someone were to gain a vaild user ID
and password for Domino then they will be able to perform undesirable
actions against the system.

Lotus were informed about this issue and, in their next release of
Domino, version 5.0.9, will ensure that the permissions set on the
webadmin.ntf file are such that anonymous access is prevented.

For those worried about attempts to access the Web Administrator
template file and wish to monitor potential attacks, you can get the
ReplicaID of webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the
Control, Shift and H keys down whilst you open the catalog. This key
sequence causes the Notes client to show hidden views as well as
visible. One of the hidden views, $ReplicaID contains the ReplicaID of
every database and template on the system.

A check for this problem already exists in DominoScan, NGSSoftware's
Lotus Domino application security scanner, of which, more information is
available from http://www.nextgenss.com/dominoscan.html . NISR have also
written a white paper on how to secure Lotus Domino's web server
available from http://www.nextgenss.com/papers.html

-----------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]