1 / 55

Falling Domino’s

Falling Domino’s. R.K. McPeake W. Aukema. Contents. General Intro Intro Lotus Notes Known Issues Our Research Conclusions Recommendations Q&A. General Introduction. Trust, but Verify DEFCON-8, July 31, Las Vegas Crucial Facts Our Future. Intro Lotus Notes. What is Lotus Notes?.

irma
Download Presentation

Falling Domino’s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Falling Domino’s R.K. McPeake W. Aukema

  2. Contents • General Intro • Intro Lotus Notes • Known Issues • Our Research • Conclusions • Recommendations • Q&A BlackHat

  3. General Introduction • Trust, but Verify • DEFCON-8, July 31, Las Vegas • Crucial Facts • Our Future BlackHat

  4. Intro Lotus Notes BlackHat

  5. What is Lotus Notes? • Secure Groupware Platform • Email, Application, Web & Database connectivity services • Application Development Platform • @Formula language, LotusScript, Javascript, Java, C/C++ API BlackHat

  6. How big is Lotus Notes? • Over 60 million corporate users • Major Releases: 4.5-, 4.6-, 5.0- BlackHat

  7. Government Legislature Military Intelligence Agencies Multinationals Manufacturing Pharmaceuticals Petrochemical Defense Contractors Utilities Power Companies Telcos Finance Accounting Banks Insurance Others Lawfirms Who Uses Notes? BlackHat

  8. Why people use Notes • Security Features • Public Key Infrastructure • Authentication • Encryption • Access control levels • Server, Database • Document, Field • Reputation • Extremely few vulnerabilities BlackHat

  9. Known Issues BlackHat

  10. Known Issues • Misconfigurations • 1 - Access Control Lists • 2 - Server ID-file passwords • 3 - Execution Control Lists • Product Features • 1 - HTTP Server • 2 - Names & Address Book • 3 - Stored Forms BlackHat

  11. Common Misconfigurations 1 • Access Control Lists = ACL • Purpose • To restrict access to Notes databases • Issue • Default settings are insecure and allow people to read (& sometimes modify) databases BlackHat

  12. Blueprint Notes Infrastructure Lists all Notes Databases Setup / Config of Webserver Monitoring Server/User/Agent Activity Browse Setup & User Accounts Browse ACL’s & File-locations Create Virtual Servers/Re-directs Browse User & Server Activity ACL Issues • names.nsf • catalog.nsf • domcfg.nsf • log.nsf • and more... BlackHat

  13. Common Misconfigurations 2 • SERVER.ID File • Purpose • Server Identity • Issue • To allow auto-restart of Notes servers, absence of password is recommended. BlackHat

  14. Server-ID Issues • With stolen ID-file, one can: • Open all databases on that server • Access other servers BlackHat

  15. Common Misconfigurations 3 • Execution Control Lists = ECL • Purpose • To restrict execution of untrusted code at Notes client • Issue • R4 till R5.01: Default settings allows execution of untrusted & unsigned code BlackHat

  16. ECL Issues • Execution of Malicious Code • Melissa • LoveBug BlackHat

  17. Product Features 1 • Using URL Syntax • Http://www.example.com/ + • ?open - Allows full database browsing • database.nsf/$DefaultNav?OpenNavigator - bypassing database navigator settings • Using HTML Syntax • Saving & modifying html-source allow upload of unwanted content BlackHat

  18. Product Features 2 • Names and Address Book • User ID’s stored with person document • HTTP-Username + Password viewable by all internal users • HTTP password = ID-file password BlackHat

  19. Product Features 3 • Stored Forms • Explained in Detail -> BlackHat

  20. Stored Forms • Notes Database Structure • Data • Structured data • RichText (attachments, actions, etc.) • HTML (Java / JavaScript) • Forms • Rendering data • Programmable Events • Stored Forms • Database Object with Form BlackHat

  21. Stored Forms • Background • Reported back in 1996 • Oliver Buerger, Germany • Der Spiegel (11-03-1996, page 220-222) • Lotus responds with the ECL in R4.5 • 4 Years later, in 2000 • Very few have the ECL setup correctly • Almost everyone allows Stored Forms BlackHat

  22. Stored Forms • Purpose • Workflow Applications • Client Administration • Issues • Enabled by default in every database • In QueryOpen event, no user interaction • Transmitted over SMTP BlackHat

  23. Stored Forms Demonstration BlackHat

  24. Our Research BlackHat

  25. Our Research • Background • Published at DEFCON-8, Las Vegas • Ethical Disclosure • Much Exposure, but • Missing Crucial Details BlackHat

  26. Our Research • What we will discuss • Design Elements • Bypassing the ECL • Unclear User Preferences • Password hash • Validating ID-files BlackHat

  27. Notes Design Elements • Design Elements • Stored in obscure locations within db • Can be Modified with Editor access • Accessible as regular Notes Documents • Example • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db • For the mail file in a R5.03 client, the note-id for Icon doc = 2A2 DbScript = 1C6 BlackHat

  28. Execution Control Lists • Introduced with Release 4.5, to combat the problem with stored forms • Controls what “foreign” code can be executed depending on Notes “Signatures” • Trusted Signature: Which functions to allow • Default: for Signatures not specified in ECL • No Signature: for unsigned code BlackHat

  29. Execution Control Lists • Common ECL Problems • Very Few Administrators and Users understand ECL concepts • ECL settings are stored in obscure location • Until release 5.0.2- default settings allow “WORLD” access BlackHat

  30. Execution Control Lists • We discovered two ways to reset the ECL of a Notes client • @RefreshECL (“” : “” ; “”) • Remove ECLSetup = 3 from notes.ini BlackHat

  31. Execution Control Lists • We discovered that • Notes API calls are not Intercepted by the ECL • OLE/COM uses Notes API BlackHat

  32. Execution Control Lists Demonstration BlackHat

  33. Unclear User Preferences • F5 doesn’t do what you think… • What about sharing that User ID … BlackHat

  34. Unclear User Preferences Demonstration BlackHat

  35. Unclear User Preferences • Observations • Once API program has acquired access, password remains cached • User ID sharing is a flag in Notes Memory Process • Vulnerability • Flag can be changed from external program • F5 limited to Notes client only BlackHat Note: API program can only access what Notes Client has accessed before.

  36. HTTP Password Hash • Based on modified RC4 implementation • HTTP passwords not salted • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password” • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret” • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus” • Brute force/dictionary-attacks are possible BlackHat

  37. HTTP Password Hash Demonstration BlackHat

  38. Notes User ID file • Delivers: • Authentication • Access Control • Non Repudiation & Integrity • Digital Signature • Confidentiality • Encryption BlackHat

  39. Notes User ID file • Contains: • Encrypted Private and Public Key • User Information • Expiration Date • Integrity Control • Used by: • Notes Client • Domino Server • API based programs BlackHat

  40. Notes User ID file • Notes Client Features: • Blocks brute-force attacks • Digest checked in server NAB • Auto logoff & F5-based lockout • User ID sharing (API-programs) BlackHat

  41. Notes User ID file • Identity Theft • Inside your Network • Outside your Organization BlackHat

  42. Notes User ID file Demonstration BlackHat

  43. Conclusions BlackHat

  44. Conclusions • Multiple Vulnerabilities exist • At All Levels in the Notes / Domino Environment • Causing Serious Threats • Vandalism • Theft • Fraud • Warfare BlackHat

  45. Conclusions • Domino Server Security • URL syntax • Viewing unintended content • Uploading content • Server ID file • No password recommended BlackHat

  46. Conclusions • Workstation Security • Execution of Malicious Code • Stored Forms • Two ways to reset ECL • Bypass ECL with OLE/API calls • Continuing a Locked Session • With API programs (NotesPeek) • Resetting Sharing Flag BlackHat

  47. Conclusions • Database Security • Design Elements • Accessible as Notes Documents • Editor Access to Modify/Corrupt • Names & Address Book • ECL settings in obscure locations • http-hashes and other sensative data viewable by all internal users • ID files downloadable BlackHat

  48. Conclusions • ID File Security • ID ’s can be obtained • Download from Names&Address Book • With malicious code / email • From workstation local/network drive • ID ’s can be validated • With http-password hash • During active/cleared session BlackHat

  49. Recommendations BlackHat

  50. Recommendations • Response of Lotus • Lacks Crucial Details • No Solutions Delivered • Requires more Pressure • Take Action • Assess your Situation • Check for Yourself • Follow our Recommendations BlackHat

More Related