Falling domino s
This presentation is the property of its rightful owner.
Sponsored Links
1 / 55

Falling Domino’s PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on
  • Presentation posted in: General

Falling Domino’s. R.K. McPeake W. Aukema. Contents. General Intro Intro Lotus Notes Known Issues Our Research Conclusions Recommendations Q&A. General Introduction. Trust, but Verify DEFCON-8, July 31, Las Vegas Crucial Facts Our Future. Intro Lotus Notes. What is Lotus Notes?.

Download Presentation

Falling Domino’s

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Falling domino s

Falling Domino’s

R.K. McPeake

W. Aukema


Contents

Contents

  • General Intro

  • Intro Lotus Notes

  • Known Issues

  • Our Research

  • Conclusions

  • Recommendations

  • Q&A

BlackHat


General introduction

General Introduction

  • Trust, but Verify

  • DEFCON-8, July 31, Las Vegas

  • Crucial Facts

  • Our Future

BlackHat


Intro lotus notes

Intro Lotus Notes

BlackHat


What is lotus notes

What is Lotus Notes?

  • Secure Groupware Platform

    • Email, Application, Web & Database connectivity services

  • Application Development Platform

    • @Formula language, LotusScript, Javascript, Java, C/C++ API

  • BlackHat


    How big is lotus notes

    How big is Lotus Notes?

    • Over 60 million corporate users

      • Major Releases: 4.5-, 4.6-, 5.0-

    BlackHat


    Who uses notes

    Government

    Legislature

    Military

    Intelligence Agencies

    Multinationals

    Manufacturing

    Pharmaceuticals

    Petrochemical

    Defense Contractors

    Utilities

    Power Companies

    Telcos

    Finance

    Accounting

    Banks

    Insurance

    Others

    Lawfirms

    Who Uses Notes?

    BlackHat


    Why people use notes

    Why people use Notes

    • Security Features

      • Public Key Infrastructure

        • Authentication

        • Encryption

    • Access control levels

      • Server, Database

      • Document, Field

  • Reputation

    • Extremely few vulnerabilities

  • BlackHat


    Known issues

    Known Issues

    BlackHat


    Known issues1

    Known Issues

    • Misconfigurations

      • 1 - Access Control Lists

      • 2 - Server ID-file passwords

      • 3 - Execution Control Lists

  • Product Features

    • 1 - HTTP Server

    • 2 - Names & Address Book

    • 3 - Stored Forms

  • BlackHat


    Common misconfigurations 1

    Common Misconfigurations 1

    • Access Control Lists = ACL

      • Purpose

        • To restrict access to Notes databases

    • Issue

      • Default settings are insecure and allow people to read (& sometimes modify) databases

    BlackHat


    Acl issues

    Blueprint Notes Infrastructure

    Lists all Notes Databases

    Setup / Config of Webserver

    Monitoring Server/User/Agent Activity

    Browse Setup &

    User Accounts

    Browse ACL’s &

    File-locations

    Create Virtual

    Servers/Re-directs

    Browse User &

    Server Activity

    ACL Issues

    • names.nsf

    • catalog.nsf

    • domcfg.nsf

    • log.nsf

    • and more...

    BlackHat


    Common misconfigurations 2

    Common Misconfigurations 2

    • SERVER.ID File

      • Purpose

        • Server Identity

    • Issue

      • To allow auto-restart of Notes servers, absence of password is recommended.

    BlackHat


    Server id issues

    Server-ID Issues

    • With stolen ID-file, one can:

      • Open all databases on that server

      • Access other servers

    BlackHat


    Common misconfigurations 3

    Common Misconfigurations 3

    • Execution Control Lists = ECL

      • Purpose

        • To restrict execution of untrusted code at Notes client

    • Issue

      • R4 till R5.01: Default settings allows execution of untrusted & unsigned code

    BlackHat


    Ecl issues

    ECL Issues

    • Execution of Malicious Code

      • Melissa

      • LoveBug

    BlackHat


    Product features 1

    Product Features 1

    • Using URL Syntax

      • Http://www.example.com/ +

        • ?open - Allows full database browsing

        • database.nsf/$DefaultNav?OpenNavigator - bypassing database navigator settings

  • Using HTML Syntax

    • Saving & modifying html-source allow upload of unwanted content

  • BlackHat


    Product features 2

    Product Features 2

    • Names and Address Book

      • User ID’s stored with person document

      • HTTP-Username + Password viewable by all internal users

      • HTTP password = ID-file password

    BlackHat


    Product features 3

    Product Features 3

    • Stored Forms

    • Explained in Detail ->

    BlackHat


    Stored forms

    Stored Forms

    • Notes Database Structure

      • Data

        • Structured data

        • RichText (attachments, actions, etc.)

        • HTML (Java / JavaScript)

    • Forms

      • Rendering data

      • Programmable Events

  • Stored Forms

    • Database Object with Form

  • BlackHat


    Stored forms1

    Stored Forms

    • Background

      • Reported back in 1996

        • Oliver Buerger, Germany

        • Der Spiegel (11-03-1996, page 220-222)

        • Lotus responds with the ECL in R4.5

    • 4 Years later, in 2000

      • Very few have the ECL setup correctly

      • Almost everyone allows Stored Forms

    BlackHat


    Stored forms2

    Stored Forms

    • Purpose

      • Workflow Applications

      • Client Administration

  • Issues

    • Enabled by default in every database

    • In QueryOpen event, no user interaction

    • Transmitted over SMTP

  • BlackHat


    Stored forms3

    Stored Forms

    Demonstration

    BlackHat


    Our research

    Our Research

    BlackHat


    Our research1

    Our Research

    • Background

      • Published at DEFCON-8, Las Vegas

      • Ethical Disclosure

      • Much Exposure, but

      • Missing Crucial Details

    BlackHat


    Our research2

    Our Research

    • What we will discuss

      • Design Elements

      • Bypassing the ECL

      • Unclear User Preferences

      • Password hash

      • Validating ID-files

    BlackHat


    Notes design elements

    Notes Design Elements

    • Design Elements

      • Stored in obscure locations within db

      • Can be Modified with Editor access

      • Accessible as regular Notes Documents

  • Example

    • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db

    • For the mail file in a R5.03 client, the note-id for

      Icon doc = 2A2

      DbScript = 1C6

  • BlackHat


    Execution control lists

    Execution Control Lists

    • Introduced with Release 4.5, to combat the problem with stored forms

    • Controls what “foreign” code can be executed depending on Notes “Signatures”

      • Trusted Signature: Which functions to allow

      • Default: for Signatures not specified in ECL

      • No Signature: for unsigned code

    BlackHat


    Execution control lists1

    Execution Control Lists

    • Common ECL Problems

      • Very Few Administrators and Users understand ECL concepts

      • ECL settings are stored in obscure location

      • Until release 5.0.2- default settings allow “WORLD” access

    BlackHat


    Execution control lists2

    Execution Control Lists

    • We discovered two ways to reset the ECL of a Notes client

      • @RefreshECL (“” : “” ; “”)

      • Remove ECLSetup = 3 from notes.ini

    BlackHat


    Execution control lists3

    Execution Control Lists

    • We discovered that

      • Notes API calls are not Intercepted by the ECL

      • OLE/COM uses Notes API

    BlackHat


    Execution control lists4

    Execution Control Lists

    Demonstration

    BlackHat


    Unclear user preferences

    Unclear User Preferences

    • F5 doesn’t do what you think…

    • What about sharing that User ID …

    BlackHat


    Unclear user preferences1

    Unclear User Preferences

    Demonstration

    BlackHat


    Unclear user preferences2

    Unclear User Preferences

    • Observations

      • Once API program has acquired access, password remains cached

      • User ID sharing is a flag in Notes Memory Process

  • Vulnerability

    • Flag can be changed from external program

    • F5 limited to Notes client only

  • BlackHat

    Note: API program can only access what Notes Client has accessed before.


    Http password hash

    HTTP Password Hash

    • Based on modified RC4 implementation

    • HTTP passwords not salted

      • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password”

      • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret”

      • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”

  • Brute force/dictionary-attacks are possible

  • BlackHat


    Http password hash1

    HTTP Password Hash

    Demonstration

    BlackHat


    Notes user id file

    Notes User ID file

    • Delivers:

      • Authentication

        • Access Control

    • Non Repudiation & Integrity

      • Digital Signature

  • Confidentiality

    • Encryption

  • BlackHat


    Notes user id file1

    Notes User ID file

    • Contains:

      • Encrypted Private and Public Key

      • User Information

      • Expiration Date

      • Integrity Control

  • Used by:

    • Notes Client

    • Domino Server

    • API based programs

  • BlackHat


    Notes user id file2

    Notes User ID file

    • Notes Client Features:

      • Blocks brute-force attacks

      • Digest checked in server NAB

      • Auto logoff & F5-based lockout

      • User ID sharing (API-programs)

    BlackHat


    Notes user id file3

    Notes User ID file

    • Identity Theft

      • Inside your Network

      • Outside your Organization

    BlackHat


    Notes user id file4

    Notes User ID file

    Demonstration

    BlackHat


    Conclusions

    Conclusions

    BlackHat


    Conclusions1

    Conclusions

    • Multiple Vulnerabilities exist

      • At All Levels in the Notes / Domino Environment

      • Causing Serious Threats

        • Vandalism

        • Theft

        • Fraud

        • Warfare

    BlackHat


    Conclusions2

    Conclusions

    • Domino Server Security

      • URL syntax

        • Viewing unintended content

        • Uploading content

    • Server ID file

      • No password recommended

    BlackHat


    Conclusions3

    Conclusions

    • Workstation Security

      • Execution of Malicious Code

        • Stored Forms

        • Two ways to reset ECL

        • Bypass ECL with OLE/API calls

    • Continuing a Locked Session

      • With API programs (NotesPeek)

      • Resetting Sharing Flag

    BlackHat


    Conclusions4

    Conclusions

    • Database Security

      • Design Elements

        • Accessible as Notes Documents

        • Editor Access to Modify/Corrupt

    • Names & Address Book

      • ECL settings in obscure locations

      • http-hashes and other sensative data viewable by all internal users

      • ID files downloadable

    BlackHat


    Conclusions5

    Conclusions

    • ID File Security

      • ID ’s can be obtained

        • Download from Names&Address Book

        • With malicious code / email

        • From workstation local/network drive

    • ID ’s can be validated

      • With http-password hash

      • During active/cleared session

    BlackHat


    Recommendations

    Recommendations

    BlackHat


    Recommendations1

    Recommendations

    • Response of Lotus

      • Lacks Crucial Details

      • No Solutions Delivered

      • Requires more Pressure

  • Take Action

    • Assess your Situation

    • Check for Yourself

    • Follow our Recommendations

  • BlackHat


    Recommendations2

    Recommendations

    • Restrict access from the Web

    • Don’t store User IDs in NAB

    • Choose Different Passwords for ID and HTTP account

    • Store User ID file on removable media

    • Use strong password hash (Lotus)

      • Manually upgrade to the stronger hash (Lotus)

  • Exit Notes completely when leaving your desk

  • Never click on ANY email attachments

  • BlackHat


    Recommendations3

    Recommendations

    • Enforce ACLs on ALL databases

    • Restrict anonymous browsing on all default databases

    • Disable stored forms on mail databases

    • Enforce strong ECLs on all unsigned and untrusted documents

    • Ensure strong host-level security on all Notes servers

    BlackHat


    For more information

    For More Information

    • Web

      • http://www.trust-factory.com

      • http://www.sdi-group.com

      • http://www.lotus.com

  • Whitepaper

    • under construction

    • mailto: [email protected]

  • BlackHat


    Falling domino s

    Q&A

    BlackHat


    Contact details

    Contact Details

    Trust Factory B.V.

    Bazarstraat 44-a

    2518 AK The Hague

    The Netherlands

    +31 70 362 0684

    [email protected]

    BlackHat


  • Login