falling domino s
Download
Skip this Video
Download Presentation
Falling Domino’s

Loading in 2 Seconds...

play fullscreen
1 / 55

Falling Domino s - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

Falling Domino’s. R.K. McPeake W. Aukema. Contents. General Intro Intro Lotus Notes Known Issues Our Research Conclusions Recommendations Q&A. General Introduction. Trust, but Verify DEFCON-8, July 31, Las Vegas Crucial Facts Our Future. Intro Lotus Notes. What is Lotus Notes?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Falling Domino s' - irma


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
falling domino s

Falling Domino’s

R.K. McPeake

W. Aukema

contents
Contents
  • General Intro
  • Intro Lotus Notes
  • Known Issues
  • Our Research
  • Conclusions
  • Recommendations
  • Q&A

BlackHat

general introduction
General Introduction
  • Trust, but Verify
  • DEFCON-8, July 31, Las Vegas
  • Crucial Facts
  • Our Future

BlackHat

what is lotus notes
What is Lotus Notes?
  • Secure Groupware Platform
      • Email, Application, Web & Database connectivity services
  • Application Development Platform
      • @Formula language, LotusScript, Javascript, Java, C/C++ API

BlackHat

how big is lotus notes
How big is Lotus Notes?
  • Over 60 million corporate users
      • Major Releases: 4.5-, 4.6-, 5.0-

BlackHat

who uses notes
Government

Legislature

Military

Intelligence Agencies

Multinationals

Manufacturing

Pharmaceuticals

Petrochemical

Defense Contractors

Utilities

Power Companies

Telcos

Finance

Accounting

Banks

Insurance

Others

Lawfirms

Who Uses Notes?

BlackHat

why people use notes
Why people use Notes
  • Security Features
      • Public Key Infrastructure
          • Authentication
          • Encryption
      • Access control levels
          • Server, Database
          • Document, Field
  • Reputation
      • Extremely few vulnerabilities

BlackHat

known issues
Known Issues

BlackHat

known issues1
Known Issues
  • Misconfigurations
      • 1 - Access Control Lists
      • 2 - Server ID-file passwords
      • 3 - Execution Control Lists
  • Product Features
      • 1 - HTTP Server
      • 2 - Names & Address Book
      • 3 - Stored Forms

BlackHat

common misconfigurations 1
Common Misconfigurations 1
  • Access Control Lists = ACL
      • Purpose
          • To restrict access to Notes databases
      • Issue
          • Default settings are insecure and allow people to read (& sometimes modify) databases

BlackHat

acl issues
Blueprint Notes Infrastructure

Lists all Notes Databases

Setup / Config of Webserver

Monitoring Server/User/Agent Activity

Browse Setup &

User Accounts

Browse ACL’s &

File-locations

Create Virtual

Servers/Re-directs

Browse User &

Server Activity

ACL Issues
  • names.nsf
  • catalog.nsf
  • domcfg.nsf
  • log.nsf
  • and more...

BlackHat

common misconfigurations 2
Common Misconfigurations 2
  • SERVER.ID File
      • Purpose
          • Server Identity
      • Issue
          • To allow auto-restart of Notes servers, absence of password is recommended.

BlackHat

server id issues
Server-ID Issues
  • With stolen ID-file, one can:
      • Open all databases on that server
      • Access other servers

BlackHat

common misconfigurations 3
Common Misconfigurations 3
  • Execution Control Lists = ECL
      • Purpose
          • To restrict execution of untrusted code at Notes client
      • Issue
          • R4 till R5.01: Default settings allows execution of untrusted & unsigned code

BlackHat

ecl issues
ECL Issues
  • Execution of Malicious Code
      • Melissa
      • LoveBug

BlackHat

product features 1
Product Features 1
  • Using URL Syntax
      • Http://www.example.com/ +
          • ?open - Allows full database browsing
          • database.nsf/$DefaultNav?OpenNavigator - bypassing database navigator settings
  • Using HTML Syntax
      • Saving & modifying html-source allow upload of unwanted content

BlackHat

product features 2
Product Features 2
  • Names and Address Book
      • User ID’s stored with person document
      • HTTP-Username + Password viewable by all internal users
      • HTTP password = ID-file password

BlackHat

product features 3
Product Features 3
  • Stored Forms
  • Explained in Detail ->

BlackHat

stored forms
Stored Forms
  • Notes Database Structure
      • Data
          • Structured data
          • RichText (attachments, actions, etc.)
          • HTML (Java / JavaScript)
      • Forms
          • Rendering data
          • Programmable Events
      • Stored Forms
          • Database Object with Form

BlackHat

stored forms1
Stored Forms
  • Background
      • Reported back in 1996
          • Oliver Buerger, Germany
          • Der Spiegel (11-03-1996, page 220-222)
          • Lotus responds with the ECL in R4.5
      • 4 Years later, in 2000
          • Very few have the ECL setup correctly
          • Almost everyone allows Stored Forms

BlackHat

stored forms2
Stored Forms
  • Purpose
      • Workflow Applications
      • Client Administration
  • Issues
      • Enabled by default in every database
      • In QueryOpen event, no user interaction
      • Transmitted over SMTP

BlackHat

stored forms3
Stored Forms

Demonstration

BlackHat

our research
Our Research

BlackHat

our research1
Our Research
  • Background
      • Published at DEFCON-8, Las Vegas
      • Ethical Disclosure
      • Much Exposure, but
      • Missing Crucial Details

BlackHat

our research2
Our Research
  • What we will discuss
      • Design Elements
      • Bypassing the ECL
      • Unclear User Preferences
      • Password hash
      • Validating ID-files

BlackHat

notes design elements
Notes Design Elements
  • Design Elements
      • Stored in obscure locations within db
      • Can be Modified with Editor access
      • Accessible as regular Notes Documents
  • Example
      • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db
      • For the mail file in a R5.03 client, the note-id for

Icon doc = 2A2

DbScript = 1C6

BlackHat

execution control lists
Execution Control Lists
  • Introduced with Release 4.5, to combat the problem with stored forms
  • Controls what “foreign” code can be executed depending on Notes “Signatures”
      • Trusted Signature: Which functions to allow
      • Default: for Signatures not specified in ECL
      • No Signature: for unsigned code

BlackHat

execution control lists1
Execution Control Lists
  • Common ECL Problems
      • Very Few Administrators and Users understand ECL concepts
      • ECL settings are stored in obscure location
      • Until release 5.0.2- default settings allow “WORLD” access

BlackHat

execution control lists2
Execution Control Lists
  • We discovered two ways to reset the ECL of a Notes client
      • @RefreshECL (“” : “” ; “”)
      • Remove ECLSetup = 3 from notes.ini

BlackHat

execution control lists3
Execution Control Lists
  • We discovered that
      • Notes API calls are not Intercepted by the ECL
      • OLE/COM uses Notes API

BlackHat

execution control lists4
Execution Control Lists

Demonstration

BlackHat

unclear user preferences
Unclear User Preferences
  • F5 doesn’t do what you think…
  • What about sharing that User ID …

BlackHat

unclear user preferences1
Unclear User Preferences

Demonstration

BlackHat

unclear user preferences2
Unclear User Preferences
  • Observations
      • Once API program has acquired access, password remains cached
      • User ID sharing is a flag in Notes Memory Process
  • Vulnerability
      • Flag can be changed from external program
      • F5 limited to Notes client only

BlackHat

Note: API program can only access what Notes Client has accessed before.

http password hash
HTTP Password Hash
  • Based on modified RC4 implementation
  • HTTP passwords not salted
      • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password”
      • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret”
      • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”
  • Brute force/dictionary-attacks are possible

BlackHat

http password hash1
HTTP Password Hash

Demonstration

BlackHat

notes user id file
Notes User ID file
  • Delivers:
      • Authentication
          • Access Control
      • Non Repudiation & Integrity
          • Digital Signature
      • Confidentiality
          • Encryption

BlackHat

notes user id file1
Notes User ID file
  • Contains:
          • Encrypted Private and Public Key
          • User Information
          • Expiration Date
          • Integrity Control
  • Used by:
          • Notes Client
          • Domino Server
          • API based programs

BlackHat

notes user id file2
Notes User ID file
  • Notes Client Features:
          • Blocks brute-force attacks
          • Digest checked in server NAB
          • Auto logoff & F5-based lockout
          • User ID sharing (API-programs)

BlackHat

notes user id file3
Notes User ID file
  • Identity Theft
      • Inside your Network
      • Outside your Organization

BlackHat

notes user id file4
Notes User ID file

Demonstration

BlackHat

conclusions
Conclusions

BlackHat

conclusions1
Conclusions
  • Multiple Vulnerabilities exist
      • At All Levels in the Notes / Domino Environment
      • Causing Serious Threats
          • Vandalism
          • Theft
          • Fraud
          • Warfare

BlackHat

conclusions2
Conclusions
  • Domino Server Security
      • URL syntax
          • Viewing unintended content
          • Uploading content
      • Server ID file
          • No password recommended

BlackHat

conclusions3
Conclusions
  • Workstation Security
      • Execution of Malicious Code
          • Stored Forms
          • Two ways to reset ECL
          • Bypass ECL with OLE/API calls
      • Continuing a Locked Session
          • With API programs (NotesPeek)
          • Resetting Sharing Flag

BlackHat

conclusions4
Conclusions
  • Database Security
      • Design Elements
          • Accessible as Notes Documents
          • Editor Access to Modify/Corrupt
      • Names & Address Book
          • ECL settings in obscure locations
          • http-hashes and other sensative data viewable by all internal users
          • ID files downloadable

BlackHat

conclusions5
Conclusions
  • ID File Security
      • ID ’s can be obtained
          • Download from Names&Address Book
          • With malicious code / email
          • From workstation local/network drive
      • ID ’s can be validated
          • With http-password hash
          • During active/cleared session

BlackHat

recommendations1
Recommendations
  • Response of Lotus
      • Lacks Crucial Details
      • No Solutions Delivered
      • Requires more Pressure
  • Take Action
      • Assess your Situation
      • Check for Yourself
      • Follow our Recommendations

BlackHat

recommendations2
Recommendations
  • Restrict access from the Web
  • Don’t store User IDs in NAB
  • Choose Different Passwords for ID and HTTP account
  • Store User ID file on removable media
  • Use strong password hash (Lotus)
      • Manually upgrade to the stronger hash (Lotus)
  • Exit Notes completely when leaving your desk
  • Never click on ANY email attachments

BlackHat

recommendations3
Recommendations
  • Enforce ACLs on ALL databases
  • Restrict anonymous browsing on all default databases
  • Disable stored forms on mail databases
  • Enforce strong ECLs on all unsigned and untrusted documents
  • Ensure strong host-level security on all Notes servers

BlackHat

for more information
For More Information
  • Web
      • http://www.trust-factory.com
      • http://www.sdi-group.com
      • http://www.lotus.com
  • Whitepaper

BlackHat

slide54
Q&A

BlackHat

contact details
Contact Details

Trust Factory B.V.

Bazarstraat 44-a

2518 AK The Hague

The Netherlands

+31 70 362 0684

[email protected]

BlackHat

ad