Falling domino s
Sponsored Links
This presentation is the property of its rightful owner.
1 / 55

Falling Domino’s PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

Falling Domino’s. R.K. McPeake W. Aukema. Contents. General Intro Intro Lotus Notes Known Issues Our Research Conclusions Recommendations Q&A. General Introduction. Trust, but Verify DEFCON-8, July 31, Las Vegas Crucial Facts Our Future. Intro Lotus Notes. What is Lotus Notes?.

Download Presentation

Falling Domino’s

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Falling Domino’s

R.K. McPeake

W. Aukema


Contents

  • General Intro

  • Intro Lotus Notes

  • Known Issues

  • Our Research

  • Conclusions

  • Recommendations

  • Q&A

BlackHat


General Introduction

  • Trust, but Verify

  • DEFCON-8, July 31, Las Vegas

  • Crucial Facts

  • Our Future

BlackHat


Intro Lotus Notes

BlackHat


What is Lotus Notes?

  • Secure Groupware Platform

    • Email, Application, Web & Database connectivity services

  • Application Development Platform

    • @Formula language, LotusScript, Javascript, Java, C/C++ API

  • BlackHat


    How big is Lotus Notes?

    • Over 60 million corporate users

      • Major Releases: 4.5-, 4.6-, 5.0-

    BlackHat


    Government

    Legislature

    Military

    Intelligence Agencies

    Multinationals

    Manufacturing

    Pharmaceuticals

    Petrochemical

    Defense Contractors

    Utilities

    Power Companies

    Telcos

    Finance

    Accounting

    Banks

    Insurance

    Others

    Lawfirms

    Who Uses Notes?

    BlackHat


    Why people use Notes

    • Security Features

      • Public Key Infrastructure

        • Authentication

        • Encryption

    • Access control levels

      • Server, Database

      • Document, Field

  • Reputation

    • Extremely few vulnerabilities

  • BlackHat


    Known Issues

    BlackHat


    Known Issues

    • Misconfigurations

      • 1 - Access Control Lists

      • 2 - Server ID-file passwords

      • 3 - Execution Control Lists

  • Product Features

    • 1 - HTTP Server

    • 2 - Names & Address Book

    • 3 - Stored Forms

  • BlackHat


    Common Misconfigurations 1

    • Access Control Lists = ACL

      • Purpose

        • To restrict access to Notes databases

    • Issue

      • Default settings are insecure and allow people to read (& sometimes modify) databases

    BlackHat


    Blueprint Notes Infrastructure

    Lists all Notes Databases

    Setup / Config of Webserver

    Monitoring Server/User/Agent Activity

    Browse Setup &

    User Accounts

    Browse ACL’s &

    File-locations

    Create Virtual

    Servers/Re-directs

    Browse User &

    Server Activity

    ACL Issues

    • names.nsf

    • catalog.nsf

    • domcfg.nsf

    • log.nsf

    • and more...

    BlackHat


    Common Misconfigurations 2

    • SERVER.ID File

      • Purpose

        • Server Identity

    • Issue

      • To allow auto-restart of Notes servers, absence of password is recommended.

    BlackHat


    Server-ID Issues

    • With stolen ID-file, one can:

      • Open all databases on that server

      • Access other servers

    BlackHat


    Common Misconfigurations 3

    • Execution Control Lists = ECL

      • Purpose

        • To restrict execution of untrusted code at Notes client

    • Issue

      • R4 till R5.01: Default settings allows execution of untrusted & unsigned code

    BlackHat


    ECL Issues

    • Execution of Malicious Code

      • Melissa

      • LoveBug

    BlackHat


    Product Features 1

    • Using URL Syntax

      • Http://www.example.com/ +

        • ?open - Allows full database browsing

        • database.nsf/$DefaultNav?OpenNavigator - bypassing database navigator settings

  • Using HTML Syntax

    • Saving & modifying html-source allow upload of unwanted content

  • BlackHat


    Product Features 2

    • Names and Address Book

      • User ID’s stored with person document

      • HTTP-Username + Password viewable by all internal users

      • HTTP password = ID-file password

    BlackHat


    Product Features 3

    • Stored Forms

    • Explained in Detail ->

    BlackHat


    Stored Forms

    • Notes Database Structure

      • Data

        • Structured data

        • RichText (attachments, actions, etc.)

        • HTML (Java / JavaScript)

    • Forms

      • Rendering data

      • Programmable Events

  • Stored Forms

    • Database Object with Form

  • BlackHat


    Stored Forms

    • Background

      • Reported back in 1996

        • Oliver Buerger, Germany

        • Der Spiegel (11-03-1996, page 220-222)

        • Lotus responds with the ECL in R4.5

    • 4 Years later, in 2000

      • Very few have the ECL setup correctly

      • Almost everyone allows Stored Forms

    BlackHat


    Stored Forms

    • Purpose

      • Workflow Applications

      • Client Administration

  • Issues

    • Enabled by default in every database

    • In QueryOpen event, no user interaction

    • Transmitted over SMTP

  • BlackHat


    Stored Forms

    Demonstration

    BlackHat


    Our Research

    BlackHat


    Our Research

    • Background

      • Published at DEFCON-8, Las Vegas

      • Ethical Disclosure

      • Much Exposure, but

      • Missing Crucial Details

    BlackHat


    Our Research

    • What we will discuss

      • Design Elements

      • Bypassing the ECL

      • Unclear User Preferences

      • Password hash

      • Validating ID-files

    BlackHat


    Notes Design Elements

    • Design Elements

      • Stored in obscure locations within db

      • Can be Modified with Editor access

      • Accessible as regular Notes Documents

  • Example

    • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db

    • For the mail file in a R5.03 client, the note-id for

      Icon doc = 2A2

      DbScript = 1C6

  • BlackHat


    Execution Control Lists

    • Introduced with Release 4.5, to combat the problem with stored forms

    • Controls what “foreign” code can be executed depending on Notes “Signatures”

      • Trusted Signature: Which functions to allow

      • Default: for Signatures not specified in ECL

      • No Signature: for unsigned code

    BlackHat


    Execution Control Lists

    • Common ECL Problems

      • Very Few Administrators and Users understand ECL concepts

      • ECL settings are stored in obscure location

      • Until release 5.0.2- default settings allow “WORLD” access

    BlackHat


    Execution Control Lists

    • We discovered two ways to reset the ECL of a Notes client

      • @RefreshECL (“” : “” ; “”)

      • Remove ECLSetup = 3 from notes.ini

    BlackHat


    Execution Control Lists

    • We discovered that

      • Notes API calls are not Intercepted by the ECL

      • OLE/COM uses Notes API

    BlackHat


    Execution Control Lists

    Demonstration

    BlackHat


    Unclear User Preferences

    • F5 doesn’t do what you think…

    • What about sharing that User ID …

    BlackHat


    Unclear User Preferences

    Demonstration

    BlackHat


    Unclear User Preferences

    • Observations

      • Once API program has acquired access, password remains cached

      • User ID sharing is a flag in Notes Memory Process

  • Vulnerability

    • Flag can be changed from external program

    • F5 limited to Notes client only

  • BlackHat

    Note: API program can only access what Notes Client has accessed before.


    HTTP Password Hash

    • Based on modified RC4 implementation

    • HTTP passwords not salted

      • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password”

      • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret”

      • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”

  • Brute force/dictionary-attacks are possible

  • BlackHat


    HTTP Password Hash

    Demonstration

    BlackHat


    Notes User ID file

    • Delivers:

      • Authentication

        • Access Control

    • Non Repudiation & Integrity

      • Digital Signature

  • Confidentiality

    • Encryption

  • BlackHat


    Notes User ID file

    • Contains:

      • Encrypted Private and Public Key

      • User Information

      • Expiration Date

      • Integrity Control

  • Used by:

    • Notes Client

    • Domino Server

    • API based programs

  • BlackHat


    Notes User ID file

    • Notes Client Features:

      • Blocks brute-force attacks

      • Digest checked in server NAB

      • Auto logoff & F5-based lockout

      • User ID sharing (API-programs)

    BlackHat


    Notes User ID file

    • Identity Theft

      • Inside your Network

      • Outside your Organization

    BlackHat


    Notes User ID file

    Demonstration

    BlackHat


    Conclusions

    BlackHat


    Conclusions

    • Multiple Vulnerabilities exist

      • At All Levels in the Notes / Domino Environment

      • Causing Serious Threats

        • Vandalism

        • Theft

        • Fraud

        • Warfare

    BlackHat


    Conclusions

    • Domino Server Security

      • URL syntax

        • Viewing unintended content

        • Uploading content

    • Server ID file

      • No password recommended

    BlackHat


    Conclusions

    • Workstation Security

      • Execution of Malicious Code

        • Stored Forms

        • Two ways to reset ECL

        • Bypass ECL with OLE/API calls

    • Continuing a Locked Session

      • With API programs (NotesPeek)

      • Resetting Sharing Flag

    BlackHat


    Conclusions

    • Database Security

      • Design Elements

        • Accessible as Notes Documents

        • Editor Access to Modify/Corrupt

    • Names & Address Book

      • ECL settings in obscure locations

      • http-hashes and other sensative data viewable by all internal users

      • ID files downloadable

    BlackHat


    Conclusions

    • ID File Security

      • ID ’s can be obtained

        • Download from Names&Address Book

        • With malicious code / email

        • From workstation local/network drive

    • ID ’s can be validated

      • With http-password hash

      • During active/cleared session

    BlackHat


    Recommendations

    BlackHat


    Recommendations

    • Response of Lotus

      • Lacks Crucial Details

      • No Solutions Delivered

      • Requires more Pressure

  • Take Action

    • Assess your Situation

    • Check for Yourself

    • Follow our Recommendations

  • BlackHat


    Recommendations

    • Restrict access from the Web

    • Don’t store User IDs in NAB

    • Choose Different Passwords for ID and HTTP account

    • Store User ID file on removable media

    • Use strong password hash (Lotus)

      • Manually upgrade to the stronger hash (Lotus)

  • Exit Notes completely when leaving your desk

  • Never click on ANY email attachments

  • BlackHat


    Recommendations

    • Enforce ACLs on ALL databases

    • Restrict anonymous browsing on all default databases

    • Disable stored forms on mail databases

    • Enforce strong ECLs on all unsigned and untrusted documents

    • Ensure strong host-level security on all Notes servers

    BlackHat


    For More Information

    • Web

      • http://www.trust-factory.com

      • http://www.sdi-group.com

      • http://www.lotus.com

  • Whitepaper

    • under construction

    • mailto: [email protected]

  • BlackHat


    Q&A

    BlackHat


    Contact Details

    Trust Factory B.V.

    Bazarstraat 44-a

    2518 AK The Hague

    The Netherlands

    +31 70 362 0684

    [email protected]

    BlackHat


  • Login