Re: Lotus Notes Stored Form Vulnerability
>> Isn't the ECL merely based on string matching of the signer rather than checking a certificate or an encrypted key? << The ECL elements are strings, but the execution controlling itself is based on digital signatures. If somebody signs a piece of program-code with a fake "Lotus Notes Template Development" ID (as someone mentioned eralier in this list), or signs a piece of code with any other fake ID with a name, which already has a corresponding Notes cross-certificate entry in your personal address-book, during the execution of this code your Notes client program warns you in a pop-up window, that this signature is invalid - and you have opportunity to abort_the_execution, execute_it_only_once or trust_signer. "Trust signer" allows the execution of ALL_unsigned_piece_of_code with this type of tasks in the future. If a piece of code has a known signature ("known" means that it already has a corresponding Notes cross-certificate entry in your personal address-book), then your notes client performs the required task, if it is allowed in the ECL for that name. If the execution of this type of task is not allowed, then you will be warned in a pop-up window - and you have opportunity to abort_the_execution, execute_it_only_once or trust_signer. If a piece of code has an unknown signature, your notes client performs the required task only when the -default- entry in the ECL allows the execution. If not allowed (for -defaulft-) this task, then you will be warned in a pop-up window - and you have opportunity to abort_the_execution, execute_it_only_once or trust_signer. "Trust signer" allows ALL_piece_of_code_with_unknown_signature on them this type of tasks in the future. If a piece of code has no signature at all, your notes client performs the required task only when the -unsigned- entry in the ECL allows the execution. If not allowed (for -unsigned-) this task, then you will be warned in a pop-up window - and you have opportunity to abort_the_execution, execute_it_only_once or trust_signer. "Trust signer" allows ALL_piece_of_code_without_signature on them this type of tasks in the future. Allowing a function by ECL means, that in the future you won't be warned when this type of task is to be executed. Of course you can revoke any permission at any time. Tibike ps: sorry my bad English
Re: Lotus Notes Stored Form Vulnerability
Technote # 184674 Q&A: BugTraq "Lotus Notes Stored Form Vulnerability" http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/89e023ae7ee59e5d852569f90059fd5e?OpenDocument * Title: Q&A: BugTraq "Lotus Notes Stored Form Vulnerability" * Product Area: Notes * Product Release: Notes Client 5.x, Notes Client 4.6x * Topic: Workstation/Desktop \\ Notes Client Functionality \\ Security \\ ECL Document #:184674 Last Update: 02/23/2001 BODY: What methods are available to protect against potential attacks using a Stored Form in a mail message? 1. Disable the Stored Form setting for all mail files. OR 2. Use Execution Control Lists (ECLs) to define trusted signers of executable content and assign appropriate levels of access. When were these features introduced? The Database Property for "Allow use of stored forms in this database" was introduced in Notes R4.1. The Execution Control List (ECL) feature was introduced in Notes R4.5. What is a "Stored Form" and how is it used? When designing a form, a form property can be enabled that will store the form design with the document. The most common usage of this feature is when a document will be mailed and the form does not exist in the users mail files. By storing the form with the document, additional functionality can be added. For more information on Forms and Documents, please see the Help document included below. How can the use of a Stored Form be detected for a particular mail message? The existence of a $Title field on the document indicates that the form is stored with the document. The $Title field will contain the name of the form. How can Stored Forms be disabled? This setting is configured in Database Properties. To disable it, uncheck the box on the Basics tab for "Allow use of stored forms in this database". Who has access to change this setting for a database? Manager access in the ACL is required to change database properties. How can administrators disable this setting for all user's mail files? Disable the setting on the mail template(s) used in your environment and run the Design task (load design from the server console, or as a scheduled task). When new mail files are created from the template, this setting will be disabled. In addition, when the design task runs (by default, this occurs nightly at 2 am), all databases that inherit from the updated templates will now have this setting disabled. This technique assumes that mail files inherit their design from a specified template(s), which is the default behavior. If Stored Forms are not enabled for a database, what will happen when the user opens a mail message containing a stored form? The user will be prompted with a dialog box with the following message; "This document cannot be displayed in its original format because it contains a stored form. This database does not allow use of stored forms. Notes will attempt to open the document using a different format." The default form for the database will be used to display the document instead. Any code associated with the form will not be executed, and some field values may not be able to be read using the default form (i.e. the "Memo" form in mail databases). Where is the Execution Control List (ECL) stored and configured? The ECL is stored for each user in their desktop.dsk/desktop5.dsk file. Users can access their ECL from File\Preferences\User Preferences\Security Options. Administrators can configure domain wide settings in the Public Address Book/Domino Directory by selecting Actions\Edit Administration ECL. Workstation ECLs are inherited from the Administration ECL during workstation setup. In R5.0.5 or higher, these settings can be refreshed from the Administration ECL by clicking the "Refresh" button on the Workstation Security Options dialog. The use of the @RefreshECL command can also be used in formulas to update a user's settings. How do ECLs protect workstations? ECLs rely on the use of digital signatures. When a design element is created and saved, it is signed with the user's private key from their ID file. When executable code is activated, Notes checks the signature and verifies what level of access the signer is allowed for that user's workstation. Notes relies on the use of certificates
Re: Lotus Notes Stored Form Vulnerability
Ok Here How it goes R4 Stored forms enabled, ECL implemented but left wide open, Stored forms can not be received via external mail. If I was a hacker, trying to use a stored form on R4 I would have to create the form on my own computer, then take the edited template/database, get it into the company I want to use, get hold of a valid ID and password, and then send it, the problems are (ignoring the coding ones) getting a ID file and password for the companies notes getting into their LAN (not just past their firewall but actually on their LAN) -some how If I was a hacker and could get onto a LAN with a valid ID an Password, sending a mail would not be high on my list of things to do, PS the previous mails are correct this has been around for years. R5 Stored forms enabled, ECL implemented but by default as tight a sharks arse at 25,000 fathoms, Stored forms can be received via external mail, if the recipient is trusted. were are on similar ground with R5, but with the added bits of ECL (which is based on a text match not on public/private key checking), and the ability to send notes mails over the NET, same problems as before if you want to do it over the LAN, with the added bit that, you would have to build a server fist to create the correct domain, with which to stamp the Database, but we could attack over the NET can't we, well yes if the domain we attack trusts us, or is we are certain that the company is using Notes for its SMTP gateway with nothing imbetween it and the NET, like a VAX or anything like that and if the administrators are daft and have left the SMPT gateway wide open I have been writeing GroupWare with notes/domino/exchange and the web for 6 years now. This issues was old years ago, and as far as security loop holes go I'm not going to lose masses of sleep over it, if you set up you system with a normal degree of sense, I don't seen it ever causing a problem, If anyone disagrees my mail is [EMAIL PROTECTED] Thanks
Re: Lotus Notes Stored Form Vulnerability
Morning all, well afternoon, or infact evening! Well I have now realised thanks to a few people that this 'exploit' is nothing new, I actually didn't think it was! - it just seemed to simple too be new, but when I searched for any information upon it, I came up empty - which is why I posted the information on BugTraq. I apologise to Oliver Buerger - who apparently found this exploit 5 years ago. I really wouldn't have posted the information if I had known that it already been discussed and researched by someone else. I myself have only been working with Lotus Notes for the past 2 years, and I believe even though this exploit was found years before, many new Lotus Notes Users and Admins can still benefit from the information I did provide. Just thought Id better clear that up before I received any more emails insulting me for apparently taking credit for someone elses work - which I have not. Thanks Chris _ IC-CRYPT.com - Enhancing Communications Since 1998
Re: Lotus Notes Stored Form Vulnerability
Isn't the ECL merely based on string matching of the signer rather than checking a certificate or an encrypted key? Wouldn't it be possible to create the 'Lotus Notes' domain and thus pose as 'Lotus Notes Template Development/Lotus Notes', which is accepted in the ECL by default, as they created most templates in use on the client? "Felix Grushevsky" <[EMAIL PROTECTED]> le 02/13/2001 09:06:09 AM Pour :Security Advisory/VMD/desjardins@VMD cc : Objet : Re: Lotus Notes Stored Form Vulnerability Guys, Again - setup ECL and try it again. Notes has Execution Control List protection for years. When it set, only code from trusted sources will be allowed to run on user workstation. Best Regards, Feliks Grushevskiy Security Advisory <[EMAIL PROTECTED]>@SECURITYFOCUS.COM> on 12.02.2001 22:58:52 Please respond to [EMAIL PROTECTED] Sent by: Bugtraq List <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: Lotus Notes Stored Form Vulnerability I am not certain of the need to send the memo internally. There is a mail distribution option that allows the user to indicate that the recipient is a notes user, thus packaging the email in 'Notes Rich Text' format. I have successfully sent and accepted meeting invitations this way, as well as verified that commonly shared custom 'letterheads' would also follow, which means that at least some of the other fields (as well as the ones needed to route the email) also get packaged-in. Also, having or creating a 'dev' ID is hardly a problem. One needs only to be running one's own site to be free of creating any ID one wishes. At first hand, and especially without having crafted an exploit to test this, I would be one to be concerned about this possibility. Would love more info. Frank. Derek Reynolds <[EMAIL PROTECTED]> le 02/09/2001 11:31:58 PM Veuillez répondre à Derek Reynolds <[EMAIL PROTECTED]> Pour :[EMAIL PROTECTED] Objet : Re: Lotus Notes Stored Form Vulnerability Yeah I can confirm this works. I tested this awhile ago. Used the postopen event and utilized LotusScripts ability to access open APIs. I successfully was able to remotely reboot a users computer, remove their task bar among other things. You could litterly copy/paste the mellisa virus code into the postopen even and it would act the same way the virus did with Outlook/Exchange since the development environment is mimicked after VBA. Again, this would have to be crafted by someone with a developer ID and the memo would have to be sent internally. Not near as big a threat. -- Best regards, Derekmailto:[EMAIL PROTECTED] Friday, February 09, 2001, 11:13:29 AM, you wrote: CJ> _________ CJ> Security Advisory:Lotus Notes Stored Form Vulnerability CJ> Date: 8th February 2001 CJ> Author: Chris Jones (aka dp) [EMAIL PROTECTED] CJ> Versions Affected:At present only Lotus Notes v4.6 has been tested CJ> _ CJ> [ Exploit Introduction ] -- CJ> Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email CJ> using the preview panes to become infected or to run the arbitrary code. CJ> The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates CJ> that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks. Which could do anything from CJ> delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows CJ> this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. CJ> [ Exploit Generation ] - CJ> To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the CJ> forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script CJ> programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch th
Re: Lotus Notes Stored Form Vulnerability
I am not certain of the need to send the memo internally. There is a mail distribution option that allows the user to indicate that the recipient is a notes user, thus packaging the email in 'Notes Rich Text' format. I have successfully sent and accepted meeting invitations this way, as well as verified that commonly shared custom 'letterheads' would also follow, which means that at least some of the other fields (as well as the ones needed to route the email) also get packaged-in. Also, having or creating a 'dev' ID is hardly a problem. One needs only to be running one's own site to be free of creating any ID one wishes. At first hand, and especially without having crafted an exploit to test this, I would be one to be concerned about this possibility. Would love more info. Frank. Derek Reynolds <[EMAIL PROTECTED]> le 02/09/2001 11:31:58 PM Veuillez répondre à Derek Reynolds <[EMAIL PROTECTED]> Pour : [EMAIL PROTECTED] Objet : Re: Lotus Notes Stored Form Vulnerability Yeah I can confirm this works. I tested this awhile ago. Used the postopen event and utilized LotusScripts ability to access open APIs. I successfully was able to remotely reboot a users computer, remove their task bar among other things. You could litterly copy/paste the mellisa virus code into the postopen even and it would act the same way the virus did with Outlook/Exchange since the development environment is mimicked after VBA. Again, this would have to be crafted by someone with a developer ID and the memo would have to be sent internally. Not near as big a threat. -- Best regards, Derekmailto:[EMAIL PROTECTED] Friday, February 09, 2001, 11:13:29 AM, you wrote: CJ> _________ CJ> Security Advisory:Lotus Notes Stored Form Vulnerability CJ> Date: 8th February 2001 CJ> Author: Chris Jones (aka dp) [EMAIL PROTECTED] CJ> Versions Affected:At present only Lotus Notes v4.6 has been tested CJ> _ CJ> [ Exploit Introduction ] -- CJ> Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email CJ> using the preview panes to become infected or to run the arbitrary code. CJ> The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates CJ> that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks. Which could do anything from CJ> delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows CJ> this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. CJ> [ Exploit Generation ] - CJ> To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the CJ> forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script CJ> programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch the first document attachment when opened which could be absolutely anything. CJ> [ Quick Fix ] -- CJ> There is a very quick and very easy method of disabling this feature and that is to modify the mailbox database properties so that the 'Allow stored forms' is unchecked. This will stop any forms CJ> of this attack. CJ> [ Platforms Tested ] --- CJ> We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus Notes 4 should be affected, as I am sure lower and higher versions would be as well. In our experiment I was able CJ> to gain manager access to someone else's Email Box using 4 Lines of Lotus Script code. CJ> [ Other Notes ] CJ> Using Lotus Script you can even change the source address of the email to fool the user into believing that the infected email came from a trusted source. You could even go so far
Re: Lotus Notes Stored Form Vulnerability
People administring Lotus Domino should still be aware that the default settings for the ECL was VERY loose before Lotus Notes release 5.x (e.g. permitted unsigned code to be run). This means that the suggested "vunerability" could still be exploited at a site with an improberly configured Lotus Notes installation. Mikkel Heisterberg >From: Felix Grushevsky <[EMAIL PROTECTED]> >Reply-To: Felix Grushevsky <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Lotus Notes Stored Form Vulnerability >Date: Sat, 10 Feb 2001 05:06:31 +0200 > >Lotus Notes has a security protection measure called ECL - Execution >Control List. >Basically, every executable design element (form, agent, database etc) in >Lotus Notes has a signature on it. The signature tells Notes about the last >person who changed this design element. >The ECL determines whether the signer of the code is allowed to have its >code run on a given workstation, and defines the extent to which the code >has access to various workstation functions and is gated by the workstation >security ECL. >Basically, in your example you did not have ECL configured - so configure >it and do your testing again. > >see also >http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument > >Best Regards, >Feliks Grushevskiy > >Chris Jones <[EMAIL PROTECTED]>@SECURITYFOCUS.COM> on 09.02.2001 18:13:29 > > >Please respond to [EMAIL PROTECTED] >Sent by: Bugtraq List <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] >cc: > > > >Subject: Lotus Notes Stored Form Vulnerability > > > > >_ > > Security Advisory: Lotus Notes Stored Form Vulnerability > Date: 8th February 2001 > Author: Chris Jones (aka dp) [EMAIL PROTECTED] > Versions Affected: At present only Lotus Notes v4.6 has been tested >_ > > >[ Exploit Introduction ] -- >Due to the design flaws of Lotus Notes databases, a user with sufficient >knowledge can craft a Lotus Notes Email in such a way that the recipient >only has to open the email or view the email using the preview panes to >become infected or to run the arbitrary code. > >The problem lies in Lotus Notes ability to allow developers to create forms >that do not rely on a specific template in a database (like normal emails) >but instead uses its own in built templates that travel within the >document. Using these methods an experienced Lotus Notes developer could >create an email enabled worm specifically for Lotus Notes networks. Which >could do anything from delete a few files to granting ACL rights to the >persons mail box (so all emails could be viewed) to retrieving the users >cached passwords or similar information. Another key point that allows this >exploit to occur is that the design of the mailbox database has by default >been allowed to accept stored forms. > > >[ Exploit Generation ] - >To generate the email a malicious user will need to modify the default >'memo' form's design - which does require a developer's edition of Lotus >Notes. The malicious user then has to modify the forms' properties so the >'Store form in Document' action is checked. The malicious user then has a >choice he could insert code into the forms 'PostOpen' event, which requires >Lotus Script programming knowledge or he can go the easy method and modify >the forms 'Launch' properties which allows you to launch the first document >attachment when opened which could be absolutely anything. > > >[ Quick Fix ] -- >There is a very quick and very easy method of disabling this feature and >that is to modify the mailbox database properties so that the 'Allow stored >forms' is unchecked. This will stop any forms of this attack. > > >[ Platforms Tested ] --- >We tested this exploit out using Lotus Notes version 4.6 but any version of >Lotus Notes 4 should be affected, as I am sure lower and higher versions >would be as well. In our experiment I was able to gain manager access to >someone else's Email Box using 4 Lines of Lotus Script code. > > >[ Other Notes ] >Using Lotus Script you can even change the source address of the email to >fool the
Re: Lotus Notes Stored Form Vulnerability
Yeah I can confirm this works. I tested this awhile ago. Used the postopen event and utilized LotusScripts ability to access open APIs. I successfully was able to remotely reboot a users computer, remove their task bar among other things. You could litterly copy/paste the mellisa virus code into the postopen even and it would act the same way the virus did with Outlook/Exchange since the development environment is mimicked after VBA. Again, this would have to be crafted by someone with a developer ID and the memo would have to be sent internally. Not near as big a threat. -- Best regards, Derekmailto:[EMAIL PROTECTED] Friday, February 09, 2001, 11:13:29 AM, you wrote: CJ> _ CJ> Security Advisory: Lotus Notes Stored Form Vulnerability CJ> Date: 8th February 2001 CJ> Author: Chris Jones (aka dp) [EMAIL PROTECTED] CJ> Versions Affected:At present only Lotus Notes v4.6 has been tested CJ> _ CJ> [ Exploit Introduction ] -- CJ> Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email CJ> using the preview panes to become infected or to run the arbitrary code. CJ> The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates CJ> that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks. Which could do anything from CJ> delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows CJ> this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. CJ> [ Exploit Generation ] - CJ> To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the CJ> forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script CJ> programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch the first document attachment when opened which could be absolutely anything. CJ> [ Quick Fix ] -- CJ> There is a very quick and very easy method of disabling this feature and that is to modify the mailbox database properties so that the 'Allow stored forms' is unchecked. This will stop any forms CJ> of this attack. CJ> [ Platforms Tested ] --- CJ> We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus Notes 4 should be affected, as I am sure lower and higher versions would be as well. In our experiment I was able CJ> to gain manager access to someone else's Email Box using 4 Lines of Lotus Script code. CJ> [ Other Notes ] CJ> Using Lotus Script you can even change the source address of the email to fool the user into believing that the infected email came from a trusted source. You could even go so far as to code the CJ> email so it looks at the target's mailbox and creates a duplicate document of his most recent email, so it looks as some other user has sent him two copies of the same email. CJ> _ CJ> - www.progenic.com- CJ> _ CJ> _ CJ> IC-CRYPT.com - Enhancing Communications Since 1998
Re: Lotus Notes Stored Form Vulnerability
Lotus Notes has a security protection measure called ECL - Execution Control List. Basically, every executable design element (form, agent, database etc) in Lotus Notes has a signature on it. The signature tells Notes about the last person who changed this design element. The ECL determines whether the signer of the code is allowed to have its code run on a given workstation, and defines the extent to which the code has access to various workstation functions and is gated by the workstation security ECL. Basically, in your example you did not have ECL configured - so configure it and do your testing again. see also http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument Best Regards, Feliks Grushevskiy Chris Jones <[EMAIL PROTECTED]>@SECURITYFOCUS.COM> on 09.02.2001 18:13:29 Please respond to [EMAIL PROTECTED] Sent by: Bugtraq List <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Lotus Notes Stored Form Vulnerability _ Security Advisory: Lotus Notes Stored Form Vulnerability Date: 8th February 2001 Author: Chris Jones (aka dp) [EMAIL PROTECTED] Versions Affected: At present only Lotus Notes v4.6 has been tested _ [ Exploit Introduction ] -- Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email using the preview panes to become infected or to run the arbitrary code. The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks. Which could do anything from delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. [ Exploit Generation ] - To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch the first document attachment when opened which could be absolutely anything. [ Quick Fix ] -- There is a very quick and very easy method of disabling this feature and that is to modify the mailbox database properties so that the 'Allow stored forms' is unchecked. This will stop any forms of this attack. [ Platforms Tested ] --- We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus Notes 4 should be affected, as I am sure lower and higher versions would be as well. In our experiment I was able to gain manager access to someone else's Email Box using 4 Lines of Lotus Script code. [ Other Notes ] Using Lotus Script you can even change the source address of the email to fool the user into believing that the infected email came from a trusted source. You could even go so far as to code the email so it looks at the target's mailbox and creates a duplicate document of his most recent email, so it looks as some other user has sent him two copies of the same email. _ - www.progenic.com- _ _ IC-CRYPT.com - Enhancing Communications Since 1998
Lotus Notes Stored Form Vulnerability
_ Security Advisory:Lotus Notes Stored Form Vulnerability Date: 8th February 2001 Author: Chris Jones (aka dp) [EMAIL PROTECTED] Versions Affected:At present only Lotus Notes v4.6 has been tested _ [ Exploit Introduction ] -- Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email using the preview panes to become infected or to run the arbitrary code. The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks. Which could do anything from delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. [ Exploit Generation ] - To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch the first document attachment when opened which could be absolutely anything. [ Quick Fix ] -- There is a very quick and very easy method of disabling this feature and that is to modify the mailbox database properties so that the 'Allow stored forms' is unchecked. This will stop any forms of this attack. [ Platforms Tested ] --- We tested this exploit out using Lotus Notes version 4.6 but any version of Lotus Notes 4 should be affected, as I am sure lower and higher versions would be as well. In our experiment I was able to gain manager access to someone else's Email Box using 4 Lines of Lotus Script code. [ Other Notes ] Using Lotus Script you can even change the source address of the email to fool the user into believing that the infected email came from a trusted source. You could even go so far as to code the email so it looks at the target's mailbox and creates a duplicate document of his most recent email, so it looks as some other user has sent him two copies of the same email. _ - www.progenic.com- _ _ IC-CRYPT.com - Enhancing Communications Since 1998