falling domino s n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Falling Domino’s PowerPoint Presentation
Download Presentation
Falling Domino’s

Loading in 2 Seconds...

play fullscreen
1 / 67

Falling Domino’s - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Falling Domino’s. R.K. McPeake W. Aukema. Agenda. Minutes: Speaker: Introduction 5 Kevin Lotus Notes Security 1 40 Kevin Break 5 Lotus Notes Security 2 45 Wouter Conclusions & Recommendations 10 Kevin & Wouter. General Introduction. Trust, but Verify

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Falling Domino’s' - marlon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
falling domino s

Falling Domino’s

R.K. McPeake

W. Aukema

agenda
Agenda

Minutes:Speaker:

  • Introduction 5 Kevin
  • Lotus Notes Security 1 40 Kevin
  • Break5
  • Lotus Notes Security 2 45 Wouter
  • Conclusions &

Recommendations10 Kevin & Wouter

Black Hat Windows 2000 Security

general introduction
General Introduction
  • Trust, but Verify
  • DEFCON-8, July 31, Las Vegas
  • Full Disclosure vs. Limited Disclosure
  • SDI, Inc. - our trusted 3rd party validater

Black Hat Windows 2000 Security

general introduction1
General Introduction
  • Crucial Facts - Lotus left them out
  • Domino & Notes - under further scrutiny
  • Our Future

Black Hat Windows 2000 Security

intro lotus notes
Intro Lotus Notes

Black Hat Windows 2000 Security

what is lotus notes
What is Lotus Notes?
  • Secure Groupware Platform
      • Email, Application, Web & Database connectivity services
  • Application Development Platform
      • @Formula language, LotusScript, Javascript, Java, C/C++ API

Black Hat Windows 2000 Security

how big is lotus notes
How big is Lotus Notes?
  • Over 60 million corporate users
      • Major Releases: 4.5-, 4.6-, 5.0-

Black Hat Windows 2000 Security

who uses notes
Government

Legislature

Military

Intelligence Agencies

Multinationals

Manufacturing

Pharmaceuticals

Petrochemical

Defense Contractors

Utilities

Power Companies

Telcos

Finance

Accounting

Banks

Insurance

Others

Law Firms

Who Uses Notes?

Black Hat Windows 2000 Security

why people use notes
Why people use Notes
  • Security Features
      • Public Key Infrastructure
          • Authentication
          • Encryption
      • Access control levels
          • Server, Database
          • Document, Field
  • Reputation
      • Extremely few vulnerabilities

Black Hat Windows 2000 Security

client platform support
Release 4:

Win95

Win98

WinNT

Win2000

Macintosh

Sun Solaris

OS/2

Release 5:

Win95

Win98

WinNT

Win2000

Macintosh

Sun Solaris

OS/2

Client Platform Support

X X X

X X X

Black Hat Windows 2000 Security

server platform support
Release 4:

Windows 95,98,NT

Netware

Solaris

HPUX

AIX

OS/390-400

OS/2

Release 5:

Windows 95,98,NT,2000

Netware

Solaris

HPUX

AIX

OS/390-400

OS/2

Linux

Server Platform Support

X X X

X X X

Black Hat Windows 2000 Security

lotus notes security
Lotus Notes Security
  • Part - I - Kevin
      • 1 - Access Control Lists
      • 2 - Server ID-files and passwords
      • 3 - HTTP Server
      • 4 - Names & Address Book
  • Part - II - Wouter
      • 5 - Stored Forms
      • 6 - Execution Control List
      • 7 - Password Hashing
      • 8 - ID-file Validation

Black Hat Windows 2000 Security

security issues i
Security Issues - I

Black Hat Windows 2000 Security

1 acl issues
1 - ACL Issues
  • Access Control Lists = ACL
      • Purpose
          • To restrict access to Notes databases
      • Issue
          • Default settings are insecure and allow people to read (& sometimes modify) databases

Black Hat Windows 2000 Security

1 acl issues1
Blueprint Notes Infrastructure

Lists all Notes Databases

Setup / Config of Webserver

Monitoring Server/User/Agent Activity

Browse Setup &

User Accounts

Browse ACL’s &

File-locations

Create Virtual

Servers/Re-directs

Browse User &

Server Activity

1 - ACL Issues
  • names.nsf
  • catalog.nsf
  • domcfg.nsf
  • log.nsf
  • and more...

Black Hat Windows 2000 Security

2 server id issues
2 - Server ID Issues
  • SERVER.ID Files
      • Purpose
          • Server Identity
      • Issue
          • To allow auto-restart of Notes servers, absence of password is recommended.

Black Hat Windows 2000 Security

2 server id issues1
2 - Server-ID Issues
  • With stolen ID-file, one can:
      • Open databases from that server
      • Access other servers
      • Create a new “fake” server

Black Hat Windows 2000 Security

3 http server issues
3 - HTTP Server Issues
  • Using URL Syntax
      • Http://www.example.com/ +
          • ?open - Allows full database browsing
          • database.nsf/$DefaultNav?OpenNavigator
          • .nsf/../xxx - results in files being served
          • /view/$readviewentries
  • Using HTML Syntax
      • Saving & modifying html-source allow upload of unwanted content

Black Hat Windows 2000 Security

4 database issues
4 - Database Issues
  • Names and Address Book
      • User ID’s stored with person document
      • HTTP-Username + Password viewable by all internal users
      • HTTP password = ID-file password

Black Hat Windows 2000 Security

4 database issues1
4 - Database Issues
  • Catalog Database
      • Stores a full listing of all databases
      • Stores current ACL information for each database
      • Complete with full file paths for each DB
      • Various DB properties also stored
      • Domain Indexer Properties

Black Hat Windows 2000 Security

4 database issues2
4 - Database Issues
  • Log Database
      • Database Pathname
      • who’s got Manager rights in the ACL
      • Usage information
      • Server Console Log - how often is it used?
      • Routing information
      • Replication information

Black Hat Windows 2000 Security

4 database issues3
4 - Database Issues
  • Administration Requests Database
      • A centralized “crontab” for Notes events
      • Server performs task on behalf of Admin

Black Hat Windows 2000 Security

4 database issues4
4 - Database Issues
  • Statistics & Events Database
      • The “watchdog” for any Domino server
      • Watches for “events” and sends notifcations to Admins when a ‘set’ status is obtained / triggered
      • An event can be a ‘threshold, TCP probe, ACL change, etc.’

Black Hat Windows 2000 Security

4 database issues5
4 - Database Issues
  • Other Databases
      • In Domino R5.x - 58 possible default Databases
      • Many do not have proper default ACL’s
      • Most provide valuable information to an attacker, if exposed

Black Hat Windows 2000 Security

footprinting a domino server
Footprinting a Domino server

A little Demonstration… ;-)

Black Hat Windows 2000 Security

agenda1
Agenda

Minutes:Speaker:

  • Introduction 5 Kevin
  • Lotus Notes Security 1 40 Kevin
  • Break5
  • Lotus Notes Security 2 45 Wouter
  • Conclusions &

Recommendations10 Kevin & Wouter

Black Hat Windows 2000 Security

agenda2
Agenda

Minutes:Speaker:

  • Introduction 5 Kevin
  • Lotus Notes Security 1 40 Kevin
  • Break5
  • Lotus Notes Security 2 45 Wouter
  • Conclusions &

Recommendations10 Kevin & Wouter

Black Hat Windows 2000 Security

issues 6
Issues - 6
  • Notes Database Structure
      • Data
          • Structured data
          • RichText (attachments, actions, etc.)
          • HTML (Java / JavaScript)
      • Forms
          • Rendering data
          • Programmable Events
      • Stored Forms
          • Database Object with Form

Black Hat Windows 2000 Security

stored forms issues
Stored Forms Issues
  • Background
      • Reported back in 1996
          • Oliver Buerger, Germany
          • Der Spiegel (11-03-1996, page 220-222)
          • Lotus responds with the ECL in R4.5
      • 4 Years later, in 2000
          • Very few have the ECL setup correctly
          • Almost everyone allows Stored Forms

Black Hat Windows 2000 Security

stored forms issues1
Stored Forms Issues
  • Purpose
      • Workflow Applications
      • Client Administration
  • Issues
      • Enabled by default in every database
      • In QueryOpen event, no user interaction
      • Transmitted over SMTP

Black Hat Windows 2000 Security

stored forms issues2
Stored Forms Issues

Demonstration

Black Hat Windows 2000 Security

our research
Our Research

Black Hat Windows 2000 Security

our research1
Our Research
  • Background
      • Published at DEFCON-8, Las Vegas
      • Ethical Disclosure
      • Much Exposure, but
      • Missing Crucial Details

Black Hat Windows 2000 Security

our research2
Our Research
  • What we will discuss
      • Design Elements
      • Bypassing the ECL
      • Unclear User Preferences
      • Password hash
      • Validating ID-files

Black Hat Windows 2000 Security

notes design elements
Notes Design Elements
  • Design Elements
      • Stored in obscure locations within db
      • Can be Modified with Editor access
      • Accessible as regular Notes Documents
  • Example
      • Stored Form enabled via ‘f’ in $Flags item of an Icon document in mail db
      • For mail based on mail50.ntf template , the note-id for...

Icon doc = 10E

DbScript = 276

Black Hat Windows 2000 Security

execution control lists
Execution Control Lists
  • Introduced with Release 4.5, to combat the problem with stored forms
  • Controls what “foreign” code can be executed depending on Notes “Signatures”
      • Trusted Signature: Which functions to allow
      • Default: for Signatures not specified in ECL
      • No Signature: for unsigned code

Black Hat Windows 2000 Security

execution control list
Execution Control List
  • ECL
      • Purpose
          • To restrict execution of untrusted code at Notes client
      • Issue
          • R4 till R5.01: Default settings allows execution of untrusted & unsigned code

Black Hat Windows 2000 Security

ecl issues
ECL Issues
  • Execution of Malicious Code
      • Melissa
      • LoveBug

Black Hat Windows 2000 Security

execution control lists1
Execution Control Lists
  • Common ECL Problems
      • Very Few Administrators and Users understand ECL concepts
      • ECL settings are stored in obscure location
      • Until release 5.0.2- default settings allow “WORLD” access

Black Hat Windows 2000 Security

execution control lists2
Execution Control Lists
  • We noticed two ways to reset the ECL of a Notes client
      • @RefreshECL (“” : “” ; “”)
      • Remove ECLSetup = 3 from notes.ini

Black Hat Windows 2000 Security

execution control lists3
Execution Control Lists
  • We noticed that
      • Notes API calls are not Intercepted by the ECL
      • OLE/COM uses Notes API

Black Hat Windows 2000 Security

execution control lists4
Execution Control Lists

Demonstration

Black Hat Windows 2000 Security

unclear user preferences
Unclear User Preferences
  • F5 doesn’t always do what you think…
  • Especially when sharing that User ID …

Black Hat Windows 2000 Security

unclear user preferences1
Unclear User Preferences

Demonstration

Black Hat Windows 2000 Security

unclear user preferences2
Unclear User Preferences
  • Observations
      • Once API program has acquired access, password remains cached
      • User ID sharing is a flag in Notes Memory Process
  • Vulnerability
      • Flag can be changed from external program
      • F5 limited to Notes client only

Black Hat Windows 2000 Security

Note: API program can only access what Notes Client has accessed before.

http password hash
HTTP Password Hash
  • Based on modified RC4 implementation
  • HTTP passwords not salted
      • 355E98E7C7B59BD810ED845AD0FD2FC4 = “password”
      • 06E0A50B579AD2CD5FFDC48564627EE7 = “secret”
      • CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”
  • Brute force/dictionary-attacks are possible

Black Hat Windows 2000 Security

http password hash1
HTTP Password Hash

Demonstration

Black Hat Windows 2000 Security

notes user id file
Notes User ID file
  • Delivers:
      • Authentication
          • Access Control
      • Non Repudiation & Integrity
          • Digital Signature
      • Confidentiality
          • Encryption

Black Hat Windows 2000 Security

notes user id file1
Notes User ID file
  • Contains:
          • Encrypted Private and Public Key
          • User Information
          • Expiration Date
          • Integrity Control
  • Used by:
          • Notes Client
          • Domino Server
          • API based programs

Black Hat Windows 2000 Security

notes user id file2
Notes User ID file
  • Notes Client Features:
          • Blocks brute-force attacks
          • Digest checked in server NAB
          • Auto logoff & F5-based lockout
          • User ID sharing (API-programs)

Black Hat Windows 2000 Security

notes user id file3
Notes User ID file
  • Identity Theft can occur from:
      • Inside your Network
      • Outside your Organization

Black Hat Windows 2000 Security

notes user id file4
Notes User ID file

Demonstration

Black Hat Windows 2000 Security

agenda3
Agenda

Minutes:Speaker:

  • Introduction 5 Kevin
  • Lotus Notes Security 1 40 Kevin
  • Break5
  • Lotus Notes Security 2 45 Wouter
  • Conclusions &

Recommendations10 Kevin & Wouter

Black Hat Windows 2000 Security

conclusions
Conclusions

Black Hat Windows 2000 Security

conclusions1
Conclusions
  • Multiple Vulnerabilities exist
      • At All Levels in the Notes / Domino Environment
      • Causing Serious Threats
          • Vandalism
          • Theft
          • Fraud
          • Warfare

Black Hat Windows 2000 Security

conclusions2
Conclusions
  • Domino Server Security
      • URL syntax
          • Viewing unintended content
          • Uploading content
      • Server ID file
          • No password recommended

Black Hat Windows 2000 Security

conclusions3
Conclusions
  • Workstation Security
      • Execution of Malicious Code
          • Stored Forms
          • Two ways to reset ECL
          • Bypass ECL with OLE/API calls
      • Continuing a Locked Session
          • With API programs (NotesPeek)
          • Resetting Sharing Flag

Black Hat Windows 2000 Security

conclusions4
Conclusions
  • Database Security
      • Design Elements
          • Accessible as Notes Documents
          • Editor Access to Modify/Corrupt
      • Names & Address Book
          • ECL settings in obscure locations
          • http-hashes and other sensative data viewable by all internal users
          • ID files downloadable

Black Hat Windows 2000 Security

conclusions5
Conclusions
  • ID File Security
      • ID ’s can be obtained
          • Download from Names&Address Book
          • With malicious code / email
          • From workstation local/network drive
      • ID ’s can be validated
          • With http-password hash
          • During active/cleared session

Black Hat Windows 2000 Security

conclusions6
Conclusions
  • All vulnerabilities shown today can be dealt with, except for one.
  • Notes/Domino is still a very secure platform.

Black Hat Windows 2000 Security

recommendations
Recommendations

Black Hat Windows 2000 Security

recommendations1
Recommendations
  • Restrict access from the Web
  • Don’t store User IDs in NAB
  • Choose Different Passwords for ID and HTTP account
  • Store User ID file on removable media
  • Use strong password hash (Lotus)
      • Manually upgrade to the stronger hash (Lotus)
  • Exit Notes completely when leaving your desk
  • Never click on ANY email attachments

Black Hat Windows 2000 Security

recommendations2
Recommendations
  • Enforce ACLs on ALL databases
  • Restrict anonymous browsing on all default databases
  • Disable stored forms on mail databases
  • Enforce strong ECLs on all unsigned and untrusted documents
  • Ensure strong host-level security on all Notes servers

Black Hat Windows 2000 Security

recommendations3
Recommendations
  • Look at Lotus
      • Domino offers many security features: USE THEM
      • Check the SecurityZone on their website
      • Stay informed
  • Take Action
      • Assess your level of security
      • Acquire Third Party Validation for your implementation

Black Hat Windows 2000 Security

for more information
For More Information
  • Web
      • http://www.trust-factory.com
      • http://www.sdi-group.com
      • http://www.lotus.com

Black Hat Windows 2000 Security

slide66
Q&A

Black Hat Windows 2000 Security

contact details
Contact Details

Trust Factory B.V.

Bazarstraat 44-a

2518 AK The Hague

The Netherlands

+31 70 362 0684

info@trust-factory.com

Black Hat Windows 2000 Security