1 / 67

Falling Domino’s

Falling Domino’s. R.K. McPeake W. Aukema. Agenda. Minutes: Speaker: Introduction 5 Kevin Lotus Notes Security 1 40 Kevin Break 5 Lotus Notes Security 2 45 Wouter Conclusions & Recommendations 10 Kevin & Wouter. General Introduction. Trust, but Verify

raheem
Download Presentation

Falling Domino’s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Falling Domino’s R.K. McPeake W. Aukema

  2. Agenda Minutes:Speaker: • Introduction 5 Kevin • Lotus Notes Security 1 40 Kevin • Break5 • Lotus Notes Security 2 45 Wouter • Conclusions & Recommendations10 Kevin & Wouter Black Hat Windows 2000 Security

  3. General Introduction • Trust, but Verify • DEFCON-8, July 31, Las Vegas • Full Disclosure vs. Limited Disclosure • SDI, Inc. - our trusted 3rd party validater Black Hat Windows 2000 Security

  4. General Introduction • Crucial Facts - Lotus left them out • Domino & Notes - under further scrutiny • Our Future Black Hat Windows 2000 Security

  5. Intro Lotus Notes Black Hat Windows 2000 Security

  6. What is Lotus Notes? • Secure Groupware Platform • Email, Application, Web & Database connectivity services • Application Development Platform • @Formula language, LotusScript, Javascript, Java, C/C++ API Black Hat Windows 2000 Security

  7. How big is Lotus Notes? • Over 60 million corporate users • Major Releases: 4.5-, 4.6-, 5.0- Black Hat Windows 2000 Security

  8. Government Legislature Military Intelligence Agencies Multinationals Manufacturing Pharmaceuticals Petrochemical Defense Contractors Utilities Power Companies Telcos Finance Accounting Banks Insurance Others Lawfirms Who Uses Notes? Black Hat Windows 2000 Security

  9. Why people use Notes • Security Features • Public Key Infrastructure • Authentication • Encryption • Access control levels • Server, Database • Document, Field • Reputation • Extremely few vulnerabilities Black Hat Windows 2000 Security

  10. Release 4: Win95 Win98 WinNT Win2000 Macintosh Sun Solaris OS/2 Release 5: Win95 Win98 WinNT Win2000 Macintosh Sun Solaris OS/2 Client Platform Support X X X X X X Black Hat Windows 2000 Security

  11. Release 4: Windows 95,98,NT Netware Solaris HPUX AIX OS/390-400 OS/2 Release 5: Windows 95,98,NT,2000 Netware Solaris HPUX AIX OS/390-400 OS/2 Linux Server Platform Support X X X X X X Black Hat Windows 2000 Security

  12. Lotus Notes Security • Part - I - Kevin • 1 - Access Control Lists • 2 - Server ID-files and passwords • 3 - HTTP Server • 4 - Names & Address Book • Part - II - Wouter • 5 - Stored Forms • 6 - Execution Control List • 7 - Password Hashing • 8 - ID-file Validation Black Hat Windows 2000 Security

  13. Security Issues - I Black Hat Windows 2000 Security

  14. 1 - ACL Issues • Access Control Lists = ACL • Purpose • To restrict access to Notes databases • Issue • Default settings are insecure and allow people to read (& sometimes modify) databases Black Hat Windows 2000 Security

  15. Blueprint Notes Infrastructure Lists all Notes Databases Setup / Config of Webserver Monitoring Server/User/Agent Activity Browse Setup & User Accounts Browse ACL’s & File-locations Create Virtual Servers/Re-directs Browse User & Server Activity 1 - ACL Issues • names.nsf • catalog.nsf • domcfg.nsf • log.nsf • and more... Black Hat Windows 2000 Security

  16. 2 - Server ID Issues • SERVER.ID Files • Purpose • Server Identity • Issue • To allow auto-restart of Notes servers, absence of password is recommended. Black Hat Windows 2000 Security

  17. 2 - Server-ID Issues • With stolen ID-file, one can: • Open databases from that server • Access other servers • Create a new “fake” server Black Hat Windows 2000 Security

  18. 3 - HTTP Server Issues • Using URL Syntax • Http://www.example.com/ + • ?open - Allows full database browsing • database.nsf/$DefaultNav?OpenNavigator • .nsf/../xxx - results in files being served • /view/$readviewentries • Using HTML Syntax • Saving & modifying html-source allow upload of unwanted content Black Hat Windows 2000 Security

  19. 4 - Database Issues • Names and Address Book • User ID’s stored with person document • HTTP-Username + Password viewable by all internal users • HTTP password = ID-file password Black Hat Windows 2000 Security

  20. 4 - Database Issues • Catalog Database • Stores a full listing of all databases • Stores current ACL information for each database • Complete with full file paths for each DB • Various DB properties also stored • Domain Indexer Properties Black Hat Windows 2000 Security

  21. 4 - Database Issues • Log Database • Database Pathname • who’s got Manager rights in the ACL • Usage information • Server Console Log - how often is it used? • Routing information • Replication information Black Hat Windows 2000 Security

  22. 4 - Database Issues • Administration Requests Database • A centralized “crontab” for Notes events • Server performs task on behalf of Admin Black Hat Windows 2000 Security

  23. 4 - Database Issues • Statistics & Events Database • The “watchdog” for any Domino server • Watches for “events” and sends notifcations to Admins when a ‘set’ status is obtained / triggered • An event can be a ‘threshold, TCP probe, ACL change, etc.’ Black Hat Windows 2000 Security

  24. 4 - Database Issues • Other Databases • In Domino R5.x - 58 possible default Databases • Many do not have proper default ACL’s • Most provide valuable information to an attacker, if exposed Black Hat Windows 2000 Security

  25. Footprinting a Domino server A little Demonstration… ;-) Black Hat Windows 2000 Security

  26. Agenda Minutes:Speaker: • Introduction 5 Kevin • Lotus Notes Security 1 40 Kevin • Break5 • Lotus Notes Security 2 45 Wouter • Conclusions & Recommendations10 Kevin & Wouter Black Hat Windows 2000 Security

  27. Agenda Minutes:Speaker: • Introduction 5 Kevin • Lotus Notes Security 1 40 Kevin • Break5 • Lotus Notes Security 2 45 Wouter • Conclusions & Recommendations10 Kevin & Wouter Black Hat Windows 2000 Security

  28. Issues - 6 • Notes Database Structure • Data • Structured data • RichText (attachments, actions, etc.) • HTML (Java / JavaScript) • Forms • Rendering data • Programmable Events • Stored Forms • Database Object with Form Black Hat Windows 2000 Security

  29. Stored Forms Issues • Background • Reported back in 1996 • Oliver Buerger, Germany • Der Spiegel (11-03-1996, page 220-222) • Lotus responds with the ECL in R4.5 • 4 Years later, in 2000 • Very few have the ECL setup correctly • Almost everyone allows Stored Forms Black Hat Windows 2000 Security

  30. Stored Forms Issues • Purpose • Workflow Applications • Client Administration • Issues • Enabled by default in every database • In QueryOpen event, no user interaction • Transmitted over SMTP Black Hat Windows 2000 Security

  31. Stored Forms Issues Demonstration Black Hat Windows 2000 Security

  32. Our Research Black Hat Windows 2000 Security

  33. Our Research • Background • Published at DEFCON-8, Las Vegas • Ethical Disclosure • Much Exposure, but • Missing Crucial Details Black Hat Windows 2000 Security

  34. Our Research • What we will discuss • Design Elements • Bypassing the ECL • Unclear User Preferences • Password hash • Validating ID-files Black Hat Windows 2000 Security

  35. Notes Design Elements • Design Elements • Stored in obscure locations within db • Can be Modified with Editor access • Accessible as regular Notes Documents • Example • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db • For mail based on mail50.ntf template , the note-id for... Icon doc = 10E DbScript = 276 Black Hat Windows 2000 Security

  36. Execution Control Lists • Introduced with Release 4.5, to combat the problem with stored forms • Controls what “foreign” code can be executed depending on Notes “Signatures” • Trusted Signature: Which functions to allow • Default: for Signatures not specified in ECL • No Signature: for unsigned code Black Hat Windows 2000 Security

  37. Execution Control List • ECL • Purpose • To restrict execution of untrusted code at Notes client • Issue • R4 till R5.01: Default settings allows execution of untrusted & unsigned code Black Hat Windows 2000 Security

  38. ECL Issues • Execution of Malicious Code • Melissa • LoveBug Black Hat Windows 2000 Security

  39. Execution Control Lists • Common ECL Problems • Very Few Administrators and Users understand ECL concepts • ECL settings are stored in obscure location • Until release 5.0.2- default settings allow “WORLD” access Black Hat Windows 2000 Security

  40. Execution Control Lists • We noticed two ways to reset the ECL of a Notes client • @RefreshECL (“” : “” ; “”) • Remove ECLSetup = 3 from notes.ini Black Hat Windows 2000 Security

  41. Execution Control Lists • We noticed that • Notes API calls are not Intercepted by the ECL • OLE/COM uses Notes API Black Hat Windows 2000 Security

  42. Execution Control Lists Demonstration Black Hat Windows 2000 Security

  43. Unclear User Preferences • F5 doesn’t always do what you think… • Especially when sharing that User ID … Black Hat Windows 2000 Security

  44. Unclear User Preferences Demonstration Black Hat Windows 2000 Security

  45. Unclear User Preferences • Observations • Once API program has acquired access, password remains cached • User ID sharing is a flag in Notes Memory Process • Vulnerability • Flag can be changed from external program • F5 limited to Notes client only Black Hat Windows 2000 Security Note: API program can only access what Notes Client has accessed before.

  46. HTTP Password Hash • Based on modified RC4 implementation • HTTP passwords not salted • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password” • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret” • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus” • Brute force/dictionary-attacks are possible Black Hat Windows 2000 Security

  47. HTTP Password Hash Demonstration Black Hat Windows 2000 Security

  48. Notes User ID file • Delivers: • Authentication • Access Control • Non Repudiation & Integrity • Digital Signature • Confidentiality • Encryption Black Hat Windows 2000 Security

  49. Notes User ID file • Contains: • Encrypted Private and Public Key • User Information • Expiration Date • Integrity Control • Used by: • Notes Client • Domino Server • API based programs Black Hat Windows 2000 Security

  50. Notes User ID file • Notes Client Features: • Blocks brute-force attacks • Digest checked in server NAB • Auto logoff & F5-based lockout • User ID sharing (API-programs) Black Hat Windows 2000 Security

More Related