Presentation is loading. Please wait.

Presentation is loading. Please wait.

Falling Dominos Lotus Notes & Domino Security

Published byGyles Hodges Modified over 6 years ago

Similar presentations

Presentation on theme: "Falling Dominos Lotus Notes & Domino Security"— Presentation transcript:

1 Falling Dominos Lotus Notes & Domino Security
Chris Goggans Patrick Guenther Kevin McPeake Wouter Aukema July 2000

2 What is Lotus Notes? Secure Groupware Platform
, Application, Web & Database connectivity services Application Development Platform @Formula language, LotusScript, Javascript, Java, C/C++ API July 2000

3 How big is Lotus Notes? Over 60 million corporate users
Majority on 4.6 Minority on 5.0 July 2000

4 Who Uses Notes? Utilities Multinationals Government Finance
Power Companies Telcos Multinationals Manufacturing Pharmaceuticals Petrochemical Defense Contractors Government Legislature Military Intelligence Agencies Finance Law Firms Accounting Banks Insurance July 2000

5 Why they use Notes Security Features Meets DMS requirements
Public Key Infrastructure Authentication Encryption Access control levels Server Database Document Field Meets DMS requirements July 2000

6 We will demonstrate New Security Vulnerabilities
Execution Control Lists Password hash attack (HTTP & ID File) These attacks can be used to gain complete control of a Domino / Notes network within minutes by assuming various valid user identities on the network, and obfuscating an attacker’s tracks July 2000

7 Introduction to Notes Vulnerabilities
Categorization Vandalism Theft Fraud Information Warfare We will concentrate on InfoWar July 2000

8 Common Notes Security Problems
#1 Security problem - Misconfiguration and / or default installation security settings are used ACL Names & Address book (Domino Directory) settings Server ID passwords ECL Several security advisories already available July 2000

9 Access Control Lists To restrict access to Notes databases, access control lists are used Many Notes servers are installed with default settings, which are insecure and allow people to read and modify most databases July 2000

10 Common ACL problems www.example.com/?Open
Allows full Database browsing Allows bypassing of default database views Allows bypassing of database navigator settings July 2000

11 Common Default (misconfigured) Databases
names.nsf Lotus Notes names and address book catalog.nsf Directory of available databases domcfg.nsf Domino configuration log.nsf Errors and event log webadmin.nsf Remote Web-based administration of the Domino server setup.nsf & setupweb.nsf Setup configuration / installation databases by default, users are managers of their own mail files July 2000

12 Names.nsf HTTP password hash is often viewable
ID files still attached to person documents Database does not contain an Anonymous entry in ACL Provides a base blueprint of the existing Notes Infrastructure July 2000

13 Catalog.nsf Contains a complete catalog of every database on each server Often does not contain an Anonymous Entry in the ACL July 2000

14 Domcfg.nsf The Domino Configuration database used in the installation & configuration of a Domino Web server Often contains Manager access entry for Default user in the ACL and does not contain an entry for Anonymous July 2000

15 Log.nsf Often the ACL is incorrectly set, allowing for Web users to view all relevant information to the operation of a Domino server Can be overwritten with erroneous data, allowing an attack to cover his/her tracks July 2000

16 Notes Server ID file To allow auto-restart of Notes servers, the SERVER.ID file is actually recommended to not be password protected If host level security allows this file to be retrieved, it can be used locally from a client to unlock any database July 2000

17 Notes Databases Data Forms Stored Forms Structured data
RichText (attachments, actions, etc.) HTML (Java / JavaScript) Forms Rendering data Programmable Events Stored Forms Database Object with Form Can be sent over SMTP July 2000

18 Stored Form Method Reported back in 1996 4 Years later, in 2000
Oliver Buerger, Germany Der Spiegel ( , page ) Lotus responds with the ECL in R4.5 4 Years later, in 2000 Very few have the ECL setup correctly Almost everyone allows Stored Forms July 2000

19 Stored Forms Any Notes document or database can have embedded LotusScript through the use of “Stored Forms” LotusScript provides a means to do almost anything to the Notes client executing it By default, stored forms are allowed on all mail databases July 2000

20 Stored Form Method Design a form that launches a payload, and/or:
With QueryOpen event, no user interaction required! July 2000

21 Demonstration July 2000

22 Stored Form Attacks Observations No user interaction was required
No warnings presented before execution Because ECL was not properly configured Tighten up the ECL Disable Stored Forms July 2000

23 Execution Control Lists
To combat the problem with stored forms Lotus implemented Execution Control Lists in version 4.5 ECL’s allowed users and administrators to activate controls on what “foreign” code could be executed depending on Notes “Signatures” Trusted Signature Which functions to allow Default for Signatures not specified in ECL No Signature for unsigned code July 2000

24 Common ECL Problems Very Few Administrators and Users understand ECL concepts ECL settings are stored in obscure location Until release default settings allowed “WORLD” access July 2000

25 Removing the ECL 2 undocumented ways to reset an ECL
@RefreshECL (“” : “” , “”) Remove ECLSetup = 3 from notes.ini July 2000

26 ECL Attack Notes API calls are not Intercepted by the ECL
OLE/COM uses Notes API July 2000

27 Demonstration July 2000

28 Notes Design Elements Design elements have ‘fixed’ note-ids for databases that share the same template version forms, views, agents, database scripts When accessed as regular Notes documents, they are modifiable The stored forms attribute is designated as a lowercase “f” in the $FLAGS field of the Icon for each database For the mail file in a R5.03 client, the note-id for Icon doc = 2A2 dbScript = 1C6 July 2000

29 ECL Attacks Observations ECL’s do not intercept API calls
Payloads execute on full behalf of the Notes user Notes client is not being used July 2000

30 ECL Attacks Recommendations OLE: Remove from Registry
Notes.NotesSession Notes.NotesUIWorkspace Press F5 prior to launching attachments Use the Internal Notes Viewer July 2000

31 Live Demo F5 doesn’t do what you think…
What about sharing that User ID … July 2000

32 Conclusion Observations Vulnerability Note
Once an API program has acquired access, it remains cached The User ID sharing is a flag in the Notes Memory Process Vulnerability The flag can be changed from an external program. F5 limited to the Notes client only Note API programs can only access what the Notes Client accessed before. July 2000

33 Recommendation Instead of using F5 or auto-lock, kill your notes client July 2000

34 HTTP Password Hash Lotus HTTP passwords are based on a modified RC4 implementation HTTP passwords are not salted 355E98E7C7B59BD810ED845AD0FD2FC4 = password 06E0A50B579AD2CD5FFDC EE7 = secret CD2D90E8E00D8A2A63A81F531EA8A9A3 = lotus Basic dictionary-based password guessing programs are possible July 2000

35 Notes User ID file Delivers: Authentication
Access Control Non Repudiation & Integrity Digital Signature Confidentiality Encryption July 2000

36 Notes User ID file Contains: Used by: Encrypted Private and Public Key
User Information Expiration Date Integrity Control Used by: Lotus Notes Client Lotus Domino Server Notes API based programs July 2000

37 Lotus Notes Client ID file related features:
Blocks brute-force attacks Digest checked in server NAB Auto logoff & F5-based lockout User ID sharing (API-programs) July 2000

38 Notes Identity Theft Within your Organization
At your own workstation Within your Notes network Outside your Organization With your web browser Through hostile code July 2000

39 Demonstration July 2000

40 Conclusion F5 does not clear your private information
Because the ID file and its password hash are available, your ID file can be validated, Without its password By other people July 2000

41 Summary Password Hash User ID File Can be found in the Notes NAB
With a Notes Client With a Browser Resides in the Notes Process Memory User ID File Can be found: On the local workstation On shared drives In the Domino Directory (Names & Addressbook) July 2000

42 Recommendations Restrict access from the Web
Don’t store User IDs in NAB Choose Different Passwords for ID and HTTP account Store User ID file on removable media Use strong password hash (Lotus) Manually upgrade to the stronger hash (Lotus) Exit Notes completely when leaving your desk Never click on ANY attachments July 2000

43 Recommendations Enforce ACLs on ALL databases
Restrict anonymous browsing on all default databases Disable stored forms on mail databases Enforce strong ECLs on all unsigned and untrusted documents Ensure strong host-level security on all Notes servers July 2000

44 For More Information http://www.trust-factory.com
July 2000

Download ppt "Falling Dominos Lotus Notes & Domino Security"

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Falling Domino’s: A look into Lotus Notes & Domino Security

Falling Domino’s: A look into Lotus Notes & Domino Security
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Copyright 2000 eMation SECURITY - Controlling Data Access with

Copyright 2000 eMation SECURITY - Controlling Data Access with
1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.

1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.

Similar presentations

Ads by Google