Yeah I can confirm this works.   I tested this awhile ago.  Used the
postopen event and utilized LotusScripts ability to access open APIs.
I successfully was able to remotely reboot a users computer, remove their task bar 
among other

You could litterly copy/paste the mellisa virus code into the postopen
even and it would act the same way the virus did with
Outlook/Exchange since the development environment is mimicked after

Again, this would have to be crafted by someone with a developer ID
and the memo would have to be sent internally.  Not near as big a threat.

Best regards,
 Derek                            mailto:[EMAIL PROTECTED]

Friday, February 09, 2001, 11:13:29 AM, you wrote:

CJ> _________________________________________________________________________

CJ>   Security Advisory:    Lotus Notes Stored Form Vulnerability
CJ>   Date:                         8th February 2001
CJ>   Author:               Chris Jones (aka dp) [EMAIL PROTECTED]
CJ>   Versions Affected:    At present only Lotus Notes v4.6 has been tested
CJ> _________________________________________________________________________

CJ> ----[ Exploit Introduction ] ------------------------------------------
CJ> Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge 
can craft a Lotus Notes Email in such a way that the recipient only has to open the 
email or view the email
CJ> using the preview panes to become infected or to run the arbitrary code.

CJ> The problem lies in Lotus Notes ability to allow developers to create forms that 
do not rely on a specific template in a database (like normal emails) but instead uses 
its own in built templates
CJ> that travel within the document. Using these methods an experienced Lotus Notes 
developer could create an email enabled worm specifically for Lotus Notes networks. 
Which could do anything from
CJ> delete a few files to granting ACL rights to the persons mail box (so all emails 
could be viewed) to retrieving the users cached passwords or similar information. 
Another key point that allows
CJ> this exploit to occur is that the design of the mailbox database has by default 
been allowed to accept stored forms.

CJ> ----[ Exploit Generation ] ---------------------------------------------
CJ> To generate the email a malicious user will need to modify the default 'memo' 
form's design - which does require a developer's edition of Lotus Notes. The malicious 
user then has to modify the
CJ> forms' properties so the 'Store form in Document' action is checked. The malicious 
user then has a choice he could insert code into the forms 'PostOpen' event, which 
requires Lotus Script
CJ> programming knowledge or he can go the easy method and modify the forms 'Launch' 
properties which allows you to launch the first document attachment when opened which 
could be absolutely anything.

CJ> ----[ Quick Fix ] ------------------------------------------------------
CJ> There is a very quick and very easy method of disabling this feature and that is 
to modify the mailbox database properties so that the 'Allow stored forms' is 
unchecked. This will stop any forms
CJ> of this attack.

CJ> ----[ Platforms Tested ] -----------------------------------------------
CJ> We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus 
Notes 4 should be affected, as I am sure lower and higher versions would be as well. 
In our experiment I was able
CJ> to gain manager access to someone else's Email Box using 4 Lines of Lotus Script 

CJ> ----[ Other Notes ] ----------------------------------------------------
CJ> Using Lotus Script you can even change the source address of the email to fool the 
user into believing that the infected email came from a trusted source. You could even 
go so far as to code the
CJ> email so it looks at the target's mailbox and creates a duplicate document of his 
most recent email, so it looks as some other user has sent him two copies of the same 

CJ> _________________________________________________________________________
CJ> -    -
CJ> _________________________________________________________________________

CJ> _____________________________________________________________
CJ> - Enhancing Communications Since 1998

Reply via email to