Security Advisory:    Lotus Notes Stored Form Vulnerability
  Date:                         8th February 2001
  Author:               Chris Jones (aka dp) [EMAIL PROTECTED]
  Versions Affected:    At present only Lotus Notes v4.6 has been tested

----[ Exploit Introduction ] ------------------------------------------
Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can 
craft a Lotus Notes Email in such a way that the recipient only has to open the email 
or view the email using the preview panes to become infected or to run the arbitrary 

The problem lies in Lotus Notes ability to allow developers to create forms that do 
not rely on a specific template in a database (like normal emails) but instead uses 
its own in built templates that travel within the document. Using these methods an 
experienced Lotus Notes developer could create an email enabled worm specifically for 
Lotus Notes networks. Which could do anything from delete a few files to granting ACL 
rights to the persons mail box (so all emails could be viewed) to retrieving the users 
cached passwords or similar information. Another key point that allows this exploit to 
occur is that the design of the mailbox database has by default been allowed to accept 
stored forms.

----[ Exploit Generation ] ---------------------------------------------
To generate the email a malicious user will need to modify the default 'memo' form's 
design - which does require a developer's edition of Lotus Notes. The malicious user 
then has to modify the forms' properties so the 'Store form in Document' action is 
checked. The malicious user then has a choice he could insert code into the forms 
'PostOpen' event, which requires Lotus Script programming knowledge or he can go the 
easy method and modify the forms 'Launch' properties which allows you to launch the 
first document attachment when opened which could be absolutely anything.

----[ Quick Fix ] ------------------------------------------------------
There is a very quick and very easy method of disabling this feature and that is to 
modify the mailbox database properties so that the 'Allow stored forms' is unchecked. 
This will stop any forms of this attack.

----[ Platforms Tested ] -----------------------------------------------
We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus 
Notes 4 should be affected, as I am sure lower and higher versions would be as well. 
In our experiment I was able to gain manager access to someone else's Email Box using 
4 Lines of Lotus Script code.

----[ Other Notes ] ----------------------------------------------------
Using Lotus Script you can even change the source address of the email to fool the 
user into believing that the infected email came from a trusted source. You could even 
go so far as to code the email so it looks at the target's mailbox and creates a 
duplicate document of his most recent email, so it looks as some other user has sent 
him two copies of the same email.

-   www.progenic.com    -

IC-CRYPT.com - Enhancing Communications Since 1998

Reply via email to