http://www.l0pht.com/advisories/nny.txt `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' L0pht Security Advisory URL Origin: http://www.l0pht.com/advisories.html Release Date: July 31, 1998 Application: Notes 4.6+ Client Operating Sys: Any Severity: Users can overwrite/create system files Author: nny <nnyat_private> Patch Status: Lotus has been made aware of this vulnerabilities `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' I. Description The L0pht has received reports regarding a vulnerability in some implementations of Lotus Domino via the Notes Client. Information about this vulnerability has been posted to various public mailing lists and newsgroups. Versions 4.6+ of the Lotus Notes Client appear to be vulnerable; lower version may also be vulnerable but at this time are untested. The vulnerability affects companys that use Lotus Notes primarily for development purposes or as an Intranet. Also any servers that were distributed with the Lotus Notes Client that are not running the HTTPD task by default are vulnerable. Note: This assumes Domino servers have been patched due to previous advisory. Additionally, previous vulnerabilities, such as the one presented by mattwat_private (Web users can write to remote server drives and change server configuration files), now come into play once more with the addition of the vulnerability in the Notes Client. No new vulnerability exists in Lotus Domino that run the HTTP task by default. II. Impact Remote intruders can potentially retreive: in development databases, confidential company records, etc etc. All of the above can be achieved by connecting to a vulnerable Notes Client. IIa. To Test >From within Lotus Notes 4.6+ Client: 1. Open any given database 2. Click Actions -> Preview in Web Browser This should have launched your designated web browser and connected to http://199.99.99.99/database or something similar. Even though you only have the Notes Client installed on the machine and not the server, the HTTPD task is now running and accepting connections on port 80. Thus anyone on the Internet could then do http://199.99.99.99/domcfg.nsf/?open or even http://199.99.99.99 (to get a listing of the available databases). Subsequently you could open the log and see the database(s) the given user was recently accessing or modifying. >From this point you can search around and basically manipulate documents that do a wide variety of things. Domino URL commands (which can be used to edit, delete, and manipulate files via the web) can be found in all documentation as well as at: http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe 1852564b5005e8419 Note: Once the Notes Client is closed the HTTPD task is also. III. Solution ACLs need to be edited manually by a competent admin to be ensured of security. Take, for example, if domlog.nsf could be read, that alone is a security breech. Workaround Setup routing filters to dissallow access to the http port of Notes Client only machines. -------------------------------------------------------------------------- The authoritative version of this file is at: http://www.l0pht.com/advisories.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:24 PDT