ࡱ> `! V*u'BZ,O bId"z xX xU B@T6VkdPb I؂$&Hd,P@hD ,5HdSAH*EC@3s'!a鳽|3wsܙwI !Up攵r*E5|[)\!*_͉n|+ծ8ְOD115E'8^L1_Q]#DYueyk>ʘrr_v^?,k:4qرrvZWZE#SXX( K ŢªR<ϖe+S6>2-CV[(ԘEU 9v]~?廩rD є(DCȾZ=uݕfǪVTqAUYK~M夌25˫JGʐ;hMPWGvUE:ekz/WK,#^dLȞ&g=_ٿ^1NE>>Rūr,w=j$O%SFr.ll[c|疢7?-:sB@k'Z_ B߫~^Ii Ԉ?G0QP88|/)(4X^E#Pk bwC&Ii-V*kU@m ? nRgp{*E[YPڹѯݽ߰3i{0Qp'Pf<NGץuf&qK(,}fm3i)ufPBB`9D';jQ# dQ-w&UMgL.ӊ̄D.9 | a&pƤr'3hx(cLGN5Q C͑@yGyd] z@1'Пr]F0Qs Lgg!~@/U<ІM2^p/iR.x-]G=E57^sC 7t-/uS9X$[9`n'2_#7CZ=Zn}w<苜p&E*V鼠*Y~F5j\Ej-< X lQA5SV+J$+~cE݋pz?:?~~'!9?S ?g6O>ۨ3q:L)3 Weo ;;k]{hԎ6}mC'w grht w&ɆNڱ|~kcm 5vD5z r]ݜn-~XG9,U)T^#jb&}f7j2IItEu<ݠU=8/~^ NO7D+Z D;Vyct*j {sV8=g%|Cz|koysW8,W:arSM gG0_pPXy:ˁNnP?>#A><%#8w8W6pr}ȉD7 I$B@9ec&̲yYl}–.E^c?挭k&ȶ4Pk mOOuXB;A/z;WО/ډМ}Xyðڅh/WZ}nݺ U!o UMu+Q;)]Y7x>wWR]YlDmnH#&;rle{PNG  IHDR-}$sRGB pHYsodHIDATx^}GfPZc1(Hqc!kp-i3x 8欙Xǐ@(4c 5D`Ȋ_Y(tWGFF|Uddf_~{  !' >izP p\=}ǧ{q`y ~'G|J;78#}p7HZy@2N9{8f#Ï7rի΍Mi}>ǟ>NZm# ΟYuZ \ӣn{ޚEu0rOok/i}<~䣵ֳZ{mj}{^{cڵy`,t}C".ym}8Z=^+iDz>GׂCaie։zm}v՗ d}xz3F7E߽ʑm?vj^nb>/G5P*Ql.d`;QpWtRvɉfskz@Q}dJ]hYr!8+co$lYYk.9k,ڎ0UZ]D|4ocG}׾Xb3ݍgGoSޮ}v* oH+3][ok).}5c}`}zZa.s{76o*OZ4>)/^Ҏ#;L^sCF|ekAڶf ^@WoG׎퍝ͶvR9r[]n(ǤO¯~oS "(Ջ\TT{F#>;LTQm2:Z=J|j"5ik. r/D5Q<[.ѨRe4D/ Q@}b"qуeAՋ\,V.D`T=фѴOw-QQHOc722uwc,o,&8>E#h;(55jiEqxb`hFnQ9#|ؓHZHR1g\)O#|jLpÙny?v7vl3{j)`poKz\LSNHQ}B٥;xP|tNkGRn/oOttŧUہUjKtý,GDKt 'v9&`@s_ Z_{\ QII $7ɈIdGaD޵pER66z#VGGz1&R]7 x.|:Tbϔa|7:.ʗV,.<΢|OJ]L~L⦔Yz23.{ikV:2|?UsNg;7^|勮YLF.#ّ(=Ǫz7LO;|7?OT}(}.kliXE.kMܦU68H qmmK/r^ǧȨvm=2qmY| ::jH3H\kdt@WJo r"{=ׅoJ+sO6R}L}AtWQ4f] ';$,|7 q뮚Lmk?,9r?3ȟLO75}!_ 4QS7ΤLʟoo_~wΟ^+s|KO_zeQ 䣜W/( :_ݤO_xtoOϟ2JTֳSOX^ȟvӤ*Vy[9ICyŽ7343^c>9fAܵY..cJ~X[>\|cNZ7|=7sPf]}Οʒ)7w+ Wf?@MR@J#U||9fxW<yJ >}x>2`iuQ*5ҷߚ:[-rU>y>vfvX\lvXxgZgWV9b}$JsXnL(U ׌nٟZ]ۑnM}Rv%d?k7ժͳY%VqX4THie3<ϯn jՇ^#%lKIӛRoo{.3Z}2|;ϳ2q)zy5O#\EBRKȔ,:ӎ@%H"wwoxϾ!߽oZ~uolx4#5N?W>&k_7=K} Yb՛[b9CYT ʘOBLmY{nߥR$J_ܾ{?ARx޿F^ySK}\r6?)_H%yK(8RDjiw3l|7mwdHdf}oE{~?kp>|79Ja)(ŧ, t[DQKLv\SrY.j;[ȟ⹉O xQni+{S"V 3t=XzWEj5c^kXԠ!)ԒkiT/#]R(U TrFu?c:ΟRLʑ:WO-W?;NtP &ȪW=@(ŧ|NLIzWQBi8窼TFYl,w"ǣw_C`Đ?E(ANR^rda@? ) E4SZ8%9wLF))!`hɔ\f_P,u)!AS>IQgt\M放MI8)dQSIio߸Q{0djOk(<*(+- {m&#׎]&G#~HPP|]]a&㣍$W|gc/qQؿyS) 5*2}4_nj1除o:kH-Lc[NW!ؿ8gn-YSDjL!>8nofIxi?6Q zH*R>wOD֜hT%s&uOgk;WIuWzÏa7Y{fSvyiQL ! = `"Ϡ"Xz,A@}#>wz t;mK7}@`;7=neX9 7% e?_>,u $vM_+.  0ۿ_a98[|nm@` >or @r>j[f|>_ܮZh@`=0/iB )ħs?a&ħ0lo͠ӹɔ<O"y &"0u~Ȕ#*_пm0yU"_xwk XA&4ߧ,-/|Oy:\ke~>8OuψO˱$MtD靻"rcHhIeȌ=s:( 4G6{ѫV{9gO4AµOg*R ע>{qo'>Xo|g/6%1!Zv8:u<$03 .hr}u(32 }mz)ۣ|2*Hx4B3a Ra!jͨbm @`&ħWR|*/"STQ!VNLLsOu%yw< (y p4O%ԃ}FS^YR~gΙ ꔥV\Re1͕   >e;(JMŧΥg/:90ʬ'g䌗c^y5yt% Ba|=ѪB!E`қi>˟ik?eJxS&xP9o6~y_|~? +b@h<.?JBRT? Id~f p %7ז QR͙ґH5]uZ+d. 6[>%P/J@F,tS s@A|0-tvzOCT%SH)#>= |~~)@a}RaVRbQLioK->?k{+Q  N'4S^/Nח:Vg ԋLC>>~ wR䡺қMp W/$9dB  SN? )5KJs0K8՟b~&\ᄾ'ue VG?³K<RRyPdlda3Gt!L-S* @{)#wd)˙ 4. wf1R[W@`u(2OCR͋gM/Ibc! "QMdMJh>1}D[/3p@賠I{ %~tϛ4%>Ó!2Aϗ)T 00ޯrNUk4vԠm@ɟ nVL#S6ls7Ĭ @`SC^}ĤiI}9u#h _-=O?&^M֟zyDV P@Q5-,j~pá: _,g]VHl͎+oUTYٷ֤x#"t( Q${?ia<{տ.gɒΫ*txzzɇY,jP[_ z >=,R>Ozr ү#-~}`!H#twDCT/>h$EL*V1]uhJfb(::ϞZ 36a,n34IZ"OZţTuT4CT5R@eQIItC+Ey.f*tb!.)e|Ɔyy-/2+!t9y/VD}[deh@ß2>FQ X [&ħm`zNQEZ5jtT O QuM,<6Zj"D!8>*B ?R@Y ~`I\]9Z&iԐ< RuT0]z7ڼAg=i8=h2}7O :7!餄Nъq2VUa1*!젧grZpcx7=>Hv<$V^P|֨%ZF:uբJgRUQ;gpY hSC05h%K$hUa[ ϥbU8=>@`:D}|*6^.d_^ _/kKǧiv=N^H">P)OCk ״y|:O,h1}wħ%  ">> woM;3mħUpA4OS5z)E|:s@UOO|B3QǧAv3A 2%Lz0Au;vL_4-   @.F? @* H">E@A|Gh@OmZS @mp } i ~-@81VSC>ɉA w8sS&SCР3~piO!(\|J]d1'JJ{ \?CQt{}yx:ts4t-#PӅ=p8:^=3bU.F=`Bi@zt "IKy[n器qr^/ OHϙuZ ;Og:zk?/~ )2eXR7{N54C;e_o)[zxn"8Nhçݥ]*HiW*Hزp?I@hi2嬨"MӔz(x^9wRv@>1gUO04>%v*SL p4_# ^S^CZGtv&}// TOaa}\OļAZ9U:A gCahC6hXR >gH%zmmd z o$d0_lIZm_P3hVok[mE E :J=~X}B|'S5(nL5v)Jfh/+"ЌOtAQEtxP::ң㬑6bRu Hz*4 ¡w姪f +4D3,,?UHJ oT,A}Rk)07*§ Q P5&ʻ({j(f4Y)>ZE)="KŌ|^Œ5Tx`TRUb^Tz k,"08]HӼ;}"NaLVeyF$P"NUѱdU-MJVA5)y4d|"EUkMՀVy&   x9E+È{/BfRjb-^&~{Zt>ՒLE/Kd9%8/a\c_)%Q3 hZ T%UhڅPs;5Dʶ ρmgS Qj'%穳v R+K?;OP8_*dz\\p=KC,`L[tԴsVLRYKdV +FO2ۛӪ0+"y4{^J:|Ԋ}USE`("-|zj/ Ӵ~ - @=^T^e1 /Z"C,(/Tnh\B\Oh (ƧkY`RئBQ~oZy = >a5d[-{V]>f}B?CƭD7\&J s2S>=B!nѴ.i4vJg@Z6($f͒ ve8l%eѮ1.OckOr 珔(״>XK^EB|Bs mo^b&߼="Y6T%yzC~O)f0b¦i#>]}]h AKUϊ[*`BX2;}X&c8:NIEUy=rZTdZ.yl(6D2J2'@Xd[zNERvHƇ&M.uN`)DcXX&L)ϤP26TiK p2/V1a_/ 4h-Αl9@}/!ܿ+2_0KgDUTxa28t;V AnI'>t0\Ծ.@U$n'']EQ k!ЀOAe?BCa|*1E@́@>,j-֡nX6ś@Lp=z]UPdA {T 0:>J2 Ġ<ٕуzoŒf ( @zvT86х+<{!8K"5fΤFahK./\iH6Sa 1lɡ,/t>Cpf@`X?FEuH% =4E|N(@qu ">m ' pOϸ:MXO?nK{eW9YcbN>~@ )ѕviLǏRbisX JXO{& k@yyC|ΰWs GGgEcϔrq߫L #0/KNR?y:oO1O&UddBh-˳y JA`!G/}u2ǎd~h6)^W0LD`F>5sMď]Lzqqy|0op?Ntt%O +%77ɧla&[hYGJ?R%E 6L\+תFȣ4Sx4h(&"뛅OL) /l4JIDI!Lw|JNŁ8ziHW8,(԰,ŧD65?f@ fKSzĬţG@2' pE1KC=4E)G(հ*ylL37ex v@k>%(>o47Rˑ{:F@|jBԎ&/hvm#S^Q LNwc`$)Z) UlrXdǧNS/{Z: 6DѺ(;lcRL|64|GW_/Vy" Gϯx߫ =QTOP*-"J_fA>#6\AnahϧR|z Z폖^ Dfԗ[izJ[zۿ`I"0 Ҁ)Vzo (I>17F{_>ˆò Q!2)T:gf)pDJ)pgj wb'S|jBTSTʧ7]ô u>-a$\q )@OS,^%CmRhBOӟ ;z3 u sZh0ĀXd_]Ћn$sB.ѓl`Z Ĕz-I*֗J! !0O5tIӣPS|vЉ=܏?lUϓX p&QDiTojB@, Ө҄ݟz4_|ZeGQ@ &^jQ^DūSIxOH@')'LW˫SAUAO]|z; G`^>?6KR{ 0;J:-ZX )&/-զuXOI1N V B`!>]X Y3-5TV\ >u;:znhNz W>a+jjmD[Z8B vNa,N}pk0j†ņ7*y~]i^cQ:٩ US53XNz|,1ĘdBj߶Z`"me62`̫Z)Uv ڙbCIYJ2F8lqΌ:KzF+ O @ڟ(zݣhT4nxUjN eƌNLb  "4~nm ț1.:Emӑm݊Dq#qRyH]WT&jLxa\V~J%V,a3QScZ|r(=fa){R 1յ9mEV! mi{Rqymm6BE3l3 r{N Vj8''Da_L/iхƍ]} Rz2ڢUgF^kJEuByr75xKV52^DI5P#:WZc)51! >--&7RR^ܡPT[A7R7|)Xkr&zy*oR,|Z2t}Z`XR%*cg ˰ 0,TA^ >xC-tjP,c|޶MZ O[^;[֚֕"2Sbn񃔺5R>Y#)/2..ݢ l*8%#[_b+D~N!ӹ-CsWQҔTEO:䬍 股M-Uٓ@m:ڤ{1]*'}DbDpϛ'{)sNy'wܨ煾= LNiǼ^' z2 1ؾMHD `u2!ypi2 `GO'j:IȟVa @%7?q8\Wգ/>oL!Z>  0B}MWWDaz@LE`00@XO.9ݘG%b @#Ý?>%ov,&qk#w 0 SΏ+77գWdH }^gXOڞLWKbLR/ܿ|py}>LF>B @` S!25SRXGy̺%C@8֟-26/Li/>{ct2X:@@ DS~=6*S^#J ExՊ}z:dN9"eQAm@zTJcuY_E}R1{@eh?),=ݯ}#}ʐRdzuquy}sOU.@CĩSOV!DRh [ d"l|aVDNv-ԁWt>:oEOt$a($  !WF3>5)۟^7Ktm>> >`߽R/A! j4}O9u酋XsPΜґhXؿZ@@ ЌOTbOF]dz"hrWcl!@@,@K> wO^|Je;TڕWAb;wEx_J.e郼4,&q2147~ф@"cmO漳aSQz 0/Dnmΐf> "Fہ̳@嫎7yÄw&e@>S4Y PB觔la!ЌOi,Ǜҿ3L|0pn›BsO1y=B{8sEj%x}O!dzAdR-}^ŵ|%GC2b\`tܒYb3!4Tg,Ff06ڣP@`>5/ SSDY :|T5#S |:P.`$\C)kz:Fz@!7{U|I#0;( 0G6;E|ӆ@l S;m8 nI`;E|ӆ@l> wOܧOy1ƒZ )/w+'$ @`O5!T\IP;E`O3yvU#Ttʯwa6;yxd$0RZrP[T4 :7?9j,~JEd4jtm˧{TmW߽8.| 3ض6y('KMdS @-%-n\(] @sJ41mp쯵y) X5(P |Q_<3ZXT@Xj`C9(O:7@66[Jur {d6s?MZ=S_)6oVAZ=.S'=XږK~ MYb%ڴ…]b¦n697pW+oqZMo&L$ Ɍ& ݁dM`OL%>̡BWty̷U`T8(0Ȱ$ *C=ΉPfF 'ƀ^ z_9,\wրOOy n< OWSI=a6Vh06c]*Lj0FJ;%?>SUYXYT2 LǞIچ =gŒSgUNm4:IG&>_Juښl:N*OǡQn哞ZU, ?hlL{QhO^vʧVW`RF5_ϡkpiVxFmzJ>֛:(zO'* >=ц[s"'9 >A#D vt#A#32z&qzN>̷~9k?枸,%}`/J"y @B@DQ-ф. 9>|@%ӖhB[ iK4 sF|zέ߁h%9#>=և@D|M@P_os_߁@ ؿ?'A?EJZ2@l/j+UK$:ijq C/fkr8%~8Fymmۈ6OgiJR#m?T@LoB b@VO[!So5ځX"0wxy:$Hlò")TMDdřTf#UvW65B k_2JB<4RDu!)C3U@J O) ג[V Rԁ] xE{OVLPOX.Z), VnXaSSØO-b^hs[ +L>Y/4Ese-l} Ujuq5LaeEU@-c|:/WcڙIҋR=יkkܪ @*[hO[^|ZU_42);OћplZrSۗ2!:ѺGDaYX`j)`3 )G΄"6ĠV ci%i˓bY()y!V;ģ n(hڛOtg2 "tDۀ|oOB  \Z~ Zg#>=6@,tQ t6q2)4_4*l^Et@9Yi!XIrGPV4|a +J.oϙӓJЊ:i+BWmy1{Aex`y|m OglP3]f$*vWv5#*4Lזh j!0FuǗ+3DŢfT`\ jc4m'Yhv8M2 ;3N2ȇ&V;)=]nV(ڶj<_}ڛ@c gx\l0rb"pd*c?KFŔ[`zj@v; C|֨ F|z XrX& Ni/@`9a8mݾ.5j@v; C|֨ F|z XrX& Ni/@`9a8mOUգ3qn 0+'{Ƿfʁ'@OOO8X@F@:Ɔ@̊tVx3B|zF WB9g 0+Yr ~=9 WhG yktCS p}vA|Z#@))<%8$R vvH0] >E3H vt#@Yy zEFVOϼ} u+i:H!un`#ӑb@|z@OO- 87(m(F|zn=B`S >=g"Ja@`O0];4j# >Sǂ@<OX|z^ i{LD|zh=y"gk ~>գzVW|~ͅI }J\<s(@@|zh&0B @!}t @mp } i >E@A|Gh@OmZS @mp ٿO;O@LA@4@\emIENDB`X(Z   &0kbClip (MS_ClipArt_Gallery.20,Microsoft Clip Gallery0wbClip (MS_ClipArt_Gallery.20,Microsoft Clip Gallery0 ybClip (MS_ClipArt_Gallery.20,Microsoft Clip Gallery/ 0DTimes New Roman8b8b`b0bb0DArialNew Roman8b8b`b0bb0" DVerdanaw Roman8b8b`b0bb0"  @n?" dd@  @@`` L3 ++%  "  #$   *&,/).0!'01-  3 ("2?2$V*u'BZ,O $b$#&;rle{H c 1?@8z{g4:d:db0bxz Nppp@  <4!d!d8b8b <4BdBd8b8bx g4(d(db0bp p-~___PPT9`/ 0DV,?&-July 2000O =L-Falling Dominos Lotus Notes & Domino Security&. < Chris Goggans Patrick Guenther Kevin McPeake Wouter Aukema$;=6  Contents:kIntroduction to Lotus Notes Access Control Lists Execution Control Lists Identity Theft Recommendations Q&AD8What is Lotus Notes?Secure Groupware Platform Email, Application, Web & Database connectivity services Application Development Platform @Formula language, LotusScript, Javascript, Java, C/C++ APIL9"<9"<,  3'How big is Lotus Notes?@Over 60 million corporate users Majority on 4.6 Minority on 5.0&! ! 2&Who Uses Notes?qUtilities Power Companies Telcos Multinationals Manufacturing Pharmaceuticals Petrochemical Defense Contractors^ @ ?$P cGovernment Legislature Military Intelligence Agencies Finance Law Firms Accounting Banks Insurance` n,nn%n *%6*Why they use NotesSecurity Features Public Key Infrastructure Authentication Encryption Access control levels Server Database Document Field Meets DMS requirementsZZZZZZ 4(Domino Internet Distribution^.com 17,799 .net 2,205 .org 1,388 .gov 81 .mil 19 .uk 1312 data courtesy www.netcraft.co.uk0<#<"P# Client Platform SupportARelease 4: Win95 Win98 WinNT Win2000 Macintosh Sun Solaris OS/2& 7 7 0Release 5: Win95 Win98 WinNT Win2000 Macintosh 6 % % Server Platform SupportDRelease 4: Windows 95,98,NT Netware Solaris HPUX AIX OS/390-400 OS/2& : : BRelease 5: Windows 95,98,NT,2000 Solaris HPUX AIX OS/390-400 Linux& 8 8=RFWe will demonstrate.New Security Vulnerabilities Execution Control Lists Password hash attack (HTTP & ID File) These attacks can be used to gain complete control of a Domino / Notes network within minutes by assuming various valid user identities on the network, and obfuscating an attacker s tracks6>>r_&Introduction to Notes Vulnerabilities&  XCategorization Vandalism Theft Fraud Information Warfare We will concentrate on InfoWar6++X  G;Common Notes Security Problems#1 Security problem - Misconfiguration and / or default installation security settings are used ACL Names & Address book (Domino Directory) settings Server ID passwords ECL Several security advisories already availableB`M._M.MAAccess Control ListsTo restrict access to Notes databases, access control lists are used Many Notes servers are installed with default settings, which are insecure and allow people to read and modify most databasesNBCommon ACL problemswww.example.com/?Open Allows full Database browsing www.example.com/database.nsf?OpenDatabase Allows bypassing of default database views www.example.com/database.nsf/$DEFAULTNAV?OpenNavigator Allows bypassing of database navigator settings*,70*,70  PM E 1H<(Common Default (misconfigured) DatabasesUnames.nsf Lotus Notes names and address book catalog.nsf Directory of available databases domcfg.nsf Domino configuration log.nsf Errors and event log webadmin.nsf Remote Web-based administration of the Domino server setup.nsf & setupweb.nsf Setup configuration / installation databases by default, users are managers of their own mail files2 # !  5-7 # !    5-7+!;dI= Names.nsfHTTP password hash is often viewable ID files still attached to person documents Database does not contain an Anonymous entry in ACL Provides a base blueprint of the existing Notes InfrastructureJ> Catalog.nsfqContains a complete catalog of every database on each server Often does not contain an Anonymous Entry in the ACLK? Domcfg.nsf$The Domino Configuration database used in the installation & configuration of a Domino Web server Often contains Manager access entry for Default user in the ACL and does not contain an entry for Anonymous L@Log.nsfOften the ACL is incorrectly set, allowing for Web users to view all relevant information to the operation of a Domino server Can be overwritten with erroneous data, allowing an attack to cover his/her trackshNotes Server ID fileTo allow auto-restart of Notes servers, the SERVER.ID file is actually recommended to not be password protected If host level security allows this file to be retrieved, it can be used locally from a client to unlock any databasenNotes DatabasesData Structured data RichText (attachments, actions, etc.) HTML (Java / JavaScript) Forms Rendering data Programmable Events Stored Forms Database Object with Form Can be sent over SMTPZPZZ$Z Z0Z$ 0  , * jjYStored Form MethodReported back in 1996 Oliver Buerger, Germany Der Spiegel (11-03-1996, page 220-222) Lotus responds with the ECL in R4.5 4 Years later, in 2000 Very few have the ECL setup correctly Almost everyone allows Stored Forms^cJ$%J, OC Stored FormsAny Notes document or database can have embedded LotusScript through the use of  Stored Forms LotusScript provides a means to do almost anything to the Notes client executing it By default, stored forms are allowed on all mail databases,0 " #Stored Form MethodcDesign a form that launches a payload, and/or: With QueryOpen event, no user interaction required!6/4/45 &xd Demonstration&Stored Form AttacksObservations No user interaction was required No warnings presented before execution Because ECL was not properly configured Tighten up the ECL Disable Stored Forms V q( q'PDExecution Control Lists To combat the problem with stored forms Lotus implemented Execution Control Lists in version 4.5 ECL s allowed users and administrators to activate controls on what  foreign code could be executed depending on Notes  Signatures Trusted Signature Which functions to allow Default for Signatures not specified in ECL No Signature for unsigned code n$ n$  aQECommon ECL ProblemsDVery Few Administrators and Users understand ECL concepts ECL settings are stored in obscure location Until release 5.0.2- default settings allowed  WORLD access Removing the ECL2 undocumented ways to reset an ECL @RefreshECL (  :   ,   ) Remove ECLSetup = 3 from notes.ini&$@$@6&  ' ECL AttackFNotes API calls are not Intercepted by the ECL OLE/COM uses Notes APIlZ DemonstrationiNotes Design ElementsDesign elements have  fixed note-ids for databases that share the same template version forms, views, agents, database scripts When accessed as regular Notes documents, they are modifiable The stored forms attribute is designated as a lowercase  f in the $FLAGS field of the Icon for each database For the mail file in a R5.03 client, the note-id for Icon doc = 2A2 dbScript = 1C6PY'Y',g( ECL AttacksObservations ECL s do not intercept API calls Payloads execute on full behalf of the Notes user Notes client is not being used *ZuZu  )  ECL AttacksRecommendations OLE: Remove from Registry Notes.NotesSession Notes.NotesUIWorkspace Press F5 prior to launching attachments Use the Internal Notes ViewerVZZ+ZGZ+G,0 G Live Demo@F5 doesn t do what you think& (!`R Conclusion   /Observations Once an API program has acquired access, it remains cached The User ID sharing is a flag in the Notes Memory Process Vulnerability The flag can be changed from an external program. F5 limited to the Notes client only Note API programs can only access what the Notes Client accessed before. ZuZZWZZDZ uWD  /  p]Recommendation  8Instead of using F5 or auto-lock, kill your notes client8  ~gHTTP Password HashLotus HTTP passwords are based on a modified RC4 implementation HTTP passwords are not salted 355E98E7C7B59BD810ED845AD0FD2FC4 = password 06E0A50B579AD2CD5FFDC48564627EE7 = secret CD2D90E8E00D8A2A63A81F531EA8A9A3 = lotus Basic dictionary-based password guessing programs are possiblej_?_    ?cUNotes User ID file  rDelivers: Authentication Access Control Non Repudiation & Integrity Digital Signature Confidentiality Encryption ZZZZZZ Z  $g    ^PNotes User ID file  Contains: Encrypted Private and Public Key User Information Expiration Date Integrity Control Used by: Lotus Notes Client Lotus Domino Server Notes API based programsb TP @Z S@  Lotus Notes ClientID file related features: Blocks brute-force attacks Digest checked in server NAB Auto logoff & F5-based lockout User ID sharing (API-programs)2vgaSNotes Identity Theft  Within your Organization At your own workstation Within your Notes network Outside your Organization With your web browser Through hostile codef2+2+   |f DemonstrationdV Conclusion   F5 does not clear your private information Because the ID file and its password hash are available, your ID file can be validated, Without its password By other people XZ% ZZ,:%  bTSummary  Password Hash Can be found in the Notes NAB With a Notes Client With a Browser Resides in the Notes Process Memory User ID File Can be found: On the local workstation On shared drives In the Domino Directory (Names & Addressbook)ZZ#Z$ZZZXZ#$  X  ubRecommendationsdRestrict access from the Web Don t store User IDs in NAB Choose Different Passwords for ID and HTTP account Store User ID file on removable media Use strong password hash (Lotus) Manually upgrade to the stronger hash (Lotus) Exit Notes completely when leaving your desk Never click on ANY email attachmentsLx.xRx.Q}eRecommendationsEnforce ACLs on ALL databases Restrict anonymous browsing on all default databases Disable stored forms on mail databases Enforce strong ECLs on all unsigned and untrusted documents Ensure strong host-level security on all Notes servers>| BjFor More InformationJhttp://www.trust-factory.com http://www.sdi-group.com http://www.lotus.com  ` ___f3f` ___3f` 999MMM>?" dd@,|?" dd@   " @ `"  n?" dd@   @@``@n?" dd@  @@``PR    @ ` ` p>> a Y  4 ( hDi, 4pF  q0a 4 q 0a2 4 C BUCENG HZI8Qf3? جU,جU,8`T,8`T q0a2 4 C BUCENG HZIDQD? U8U8D`T8D`T 2 4 C BUCENG HZIEQ[? U9U9E`T9E`T dn" 4  G/*d6?@33@@@sf 4 4 Zvgֳgֳ ? v T Click to edit Master title style! !: 4 T4vgֳgֳ ?0 v RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  4  `vgֳgֳ ?` v ?*  4  `vgֳgֳ ?  v A*  4  `T vgֳgֳ ?  v A*H 4 0޽h? ??0444 ___f3f Fireballj     0 8r ( T( 8pF  0  8  0 2 8 C BUCENG HZI8Qf3? جU,جU,8`T,8`T 0 2 8 C BUCENG HZIDQD? U8U8D`T8D`T 9Y 2 8 C BUCENG HZIEQ[? U9U9E`T9E`T " 8  G/*d6?@33@@@sf  8 Zgֳgֳ ?` v T Click to edit Master title style! ! 8 Tgֳgֳ ?0 `   v W#Click to edit Master subtitle style$ $  8  `4gֳgֳ ?` v ?*  8  `gֳgֳ ?  v A*  8  `gֳgֳ ?   A*H 8 0޽h? ??0888 ___f3f 0 0D6(  D D 0v 4  v [*  D 0dv D Z4 v ]* d D c $ ?)1  v D 0Ĝv n .,A v RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S D 6$v   v [*  D 6v D Z v ]* H D 0~eI ? ̙33  nf@!*(  r   S v4\B  v r   S v4, 0  v 8 p  *3/     `?8PS @ r2  B?8  r2  B?nN  r2  B? ; r2  B?n Q r2  B?  r2  B?n     `?8PS P P r2  B?, w r2  B?  r2  B?g  r2  B? j    f?8PS `  x2  H? / x2  H?a1 { x2  H?  x2  H?" m) x2  H?RA  x2  H? .     `?8PS  ` r2 ! B?X 7 r2 " B?n  r2 # B?' q r2 $ B? 7 r2 % B? *  &  `?8PS  p p r2 ' B?L  r2 ( B?  r2 ) B?@ 9 H  0޽h ? ̙33  P!X$( H6 Xr X S $v4   r X S v40  H X 0޽h ? ̙33  `H$( ` Hr H S v4   r H S Dv40  H H 0޽h ? ̙33  p0(  x  c $v4   x  c $v40  H  0޽h ? ___f3fj  (  x  c $dv4  v x  c $Ģv4 0 v r  S $v4p 0 v H  0޽h ? ___f3f  0( YUUUHU x  c $v4   x  c $v40  H  0޽h ? ___f3f  0( UHUU&U x  c $Dv4   x  c $v40  H  0޽h ? ___f3fv  (  r  S v4   r  S dv4 0  r  S ĥv4p 0  H  0޽h ? ̙33   p(   px p c $$v4   x p c $v4 0  x p c $v4p 0  H p 0޽h ? ̙33  0( LZ]c1 x  c $Dv4   x  c $v40  H  0޽h ? ___f3f  0(  x  c $d>4   x  c $>40  H  0޽h ? ̙33  X0(  Xx X c $$?4   x X c $?40  H X 0޽h ? ___f3f  p0( f؋Tz px p c $D@4   x p c $@40  H p 0޽h ? ___f3f  t*(  tx t c $A4   r t S $B4(  H t 0޽h ? ___f3f   \0(  \x \ c $DC4   x \ c $C40  H \ 0޽h ? ___f3f  0`0( A#c `x ` c $dD4   x ` c $D40  H ` 0޽h ? ___f3f  @d0( `GLQ,W dx d c $4   x d c $40  H d 0޽h ? ___f3f  Ph0( `GLQ,W hx h c $d4   x h c $ą40  H h 0޽h ? ___f3f  `l0(  lx l c $D4   x l c $40  H l 0޽h ? ___f3f  p@( n @l @ C 4  v l @ C 䉕40  H @ 0޽h ? ___f3f  0( @t x  c $d4   x  c $ċ40  H  0޽h ? ̙33  0(  x  c $4   x  c $䌕40  H  0޽h ? ̙33   x*( x xx x c $4  v r x S d4 v H x 0޽h ? ___f3f  6( % x  c $4   ~  s *d 40  H  0޽h ? ̙33^  $(  $x $ c $4    $ s *A  ??J  X0 8C:\Lotus\Notes\Bin\notes.exe0H $ 0޽h ? ̙33  0( O x  c $䏕4   x  c $tǕ40  H  0޽h ? ̙33  |0( # |x | c $ȕ4   x | c $ȕ40  H | 0޽h ? ___f3f  0(  x  c $Tɕ4   x  c $ɕ40  H  0޽h ? ___f3f  x0(   xx x c $tʕ4   x x c $ʕ40  H x 0޽h ? ̙33  $( I r  S 4˕4   r  S ˕40  H  0޽h ? ̙33^  (  x  c $T̕4     s *A  ??J  X0 8C:\Lotus\Notes\Bin\notes.exe0H  0޽h ? ̙33   D(  Dl D C ̕4   l D C ͕40  H D 0޽h ? ___f3f  0*(  r  S ͕4   x  c $4Ε40  H  0޽h ? ̙33  @$(  r  S Ε4   r  S Tϕ40  H  0޽h ? ̙33  P8(  r  S Е4   r  S tЕ40  X  0A?t y2  BЕԔ O u @     0ѕ @ ` F What about sharing that User ID & $ $ H  0޽h ? ̙33  `0(  x  c $ѕ4   x  c $Tҕ40  H  0޽h ? ̙33  p0(  x  c $ҕ4   x  c $ӕ40  H  0޽h ? ̙33  <(  <l < C b4   l < C c40  H < 0޽h ? ___f3f  <(  ~  s *d4   ~  s *Te40  H  0޽h ? ̙33  0(  x  c $e4   x  c $f4b  H  0޽h ? ̙33  $( l-P 7 r  S tf4   r  S f40  H  0޽h ? ̙33  0(  x  c $4g4   x  c $g40  H  0޽h ? ̙33^  ,( A8X ,x , c $g4    , s *A   ??J   X0 8C:\Lotus\Notes\Bin\notes.exe0H , 0޽h ? ̙33  R(  ~  s *Th4     s *h40  "p`PpH  0޽h ? ̙33  0(  x  c $i4   x  c $4j40  H  0޽h ? ̙33  $( # r  S j4   r  S j40  H  0޽h ? ̙33  (0(  (x ( c $l4   x ( c $tl40  H ( 0޽h ? ̙33   H(  Hl H C 4m4   l H C m40  H H 0޽h ? ___f3fA &xZixTE{+AHXBPF@QQHi"Dt  A5$0` DP@ ʢ8,2*{Uta2=|T'սZޭeχU篎J)B Drݣh;Ƙmsb"ߚ_ @Ep5P."{>K'O51X|p vض͉kh$jp_zz')'3+;ܓ'+)#mZwp-SSz{}$IYى sғS23dz14#U't6ct hQ,-^M{#pD.\tnsжJA_ /=S]%7 N }}2ϲח)*rl*q^7}n[E#7V1 >GW/Bcj\2z2dW XW۔fqK> S9hӦ[.rbQ|X,y0)pb? l^@7iع2)FxRؾ?#|[ҕg?דߙeVŬ] b!VO1]'-K{& V梱HU; m rfY}PB;&ҭu)S,s=ns x,nMRIש<Gr>Q_msh;{ªY:r(n6pb'5aΊ3Fn\~-\HJ\?ϖh{5r:O,3n7yXAd1ۋZLfb6-sc`(ess\ 9_ و<h&#њkvI<Ύ$1׊n*QсS9 - xv_W|x(K*J E&҃4߆o4WS6b[i"]C ZG h-zzBڈ{Oh5@%N&b'LW?aRg:r#sdPuNY\.r(?qɏ)w"V1B5r)fL<])no~?) 5xט7yï!b/}9yMӃ+3MӇ貘Mmۄ?w/o=H4Nbmg 9Ҏu}G9^0ŁiNeqIŸwBm|n? gSWzckD]g]|MQdE`[WbY J$P˩ȷ9Sݜ[ :;w.83]0GBz^5"߬31Fg!1|-&|)֙{Grq#<ԳQ3CBOLo3cFQfWHOhjfѬGq)l&$gv(GI\1Œ7͌X`&SU 옠8}ߪ:k臸t&ܦx݁;6}uĈjqLzk`]^OA 9S^MMAu 9p6G3:wؙTY LL@W̦zsnƹzlh~<#07a@.k,Zh/ݞGkģnɣs[^w=?w^np=rn 9v-+K,=mi:qN橺O@ܧul$YI}*٫vr8|ɩ@`S^JnPፈXffP\IQ]UMLhuԏWiNQW-I\N:C6F"[`LsTs6ݭ>sz@^ S=LGbg~Z*dOZU翎uLC)h(;[m2J1JZek&kl8\gM2J^b<ji =ܬZz7:f~PP3?*e+s>ia X`W=**;Vj>0yΘ"pFᴋsqL7qwU9=goz)E^5~p߀Kl)r\)/_|A &xZixTE{+AHXBPF@QQHi"Dt  A5$0` DP@ ʢ8,2*{Uta2=|T'սZޭeχU篎J)B Drݣh;Ƙmsb"ߚ_ @Ep5P."{>K'O51X|p vض͉kh$jp_zz')'3+;ܓ'+)#mZwp-SSz{}$IYى sғS23dz14#U't6ct hQ,-^M{#pD.\tnsжJA_ /=S]%7 N }}2ϲח)*rl*q^7}n[E#7V1 >GW/Bcj\2z2dW XW۔fqK> S9hӦ[.rbQ|X,y0)pb? l^@7iع2)FxRؾ?#|[ҕg?דߙeVŬ] b!VO1]'-K{& V梱HU; m rfY}PB;&ҭu)S,s=ns x,nMRIש<Gr>Q_msh;{ªY:r(n6pb'5aΊ3Fn\~-\HJ\?ϖh{5r:O,3n7yXAd1ۋZLfb6-sc`(ess\ 9_ و<h&#њkvI<Ύ$1׊n*QсS9 - xv_W|x(K*J E&҃4߆o4WS6b[i"]C ZG h-zzBڈ{Oh5@%N&b'LW?aRg:r#sdPuNY\.r(?qɏ)w"V1B5r)fL<])no~?) 5xט7yï!b/}9yMӃ+3MӇ貘Mmۄ?w/o=H4Nbmg 9Ҏu}G9^0ŁiNeqIŸwBm|n? gSWzckD]g]|MQdE`[WbY J$P˩ȷ9Sݜ[ :;w.83]0GBz^5"߬31Fg!1|-&|)֙{Grq#<ԳQ3CBOLo3cFQfWHOhjfѬGq)l&$gv(GI\1Œ7͌X`&SU 옠8}ߪ:k臸t&ܦx݁;6}uĈjqLzk`]^OA 9S^MMAu 9p6G3:wؙTY LL@W̦zsnƹzlh~<#07a@.k,Zh/ݞGkģnɣs[^w=?w^np=rn 9v-+K,=mi:qN橺O@ܧul$YI}*٫vr8|ɩ@`S^JnPፈXffP\IQ]UMLhuԏWiNQW-I\N:C6F"[`LsTs6ݭ>sz@^ S=LGbg~Z*dOZU翎uLC)h(;[m2J1JZek&kl8\gM2J^b<ji =ܬZz7:f~PP3?*e+s>ia X`W=**;Vj>0yΘ"pFᴋsqL7qwU9=goz)E^5~p߀Kl)r\)/_|A &xZixTE{+AHXBPF@QQHi"Dt  A5$0` DP@ ʢ8,2*{Uta2=|T'սZޭeχU篎J)B Drݣh;Ƙmsb"ߚ_ @Ep5P."{>K'O51X|p vض͉kh$jp_zz')'3+;ܓ'+)#mZwp-SSz{}$IYى sғS23dz14#U't6ct hQ,-^M{#pD.\tnsжJA_ /=S]%7 N }}2ϲח)*rl*q^7}n[E#7V1 >GW/Bcj\2z2dW XW۔fqK> S9hӦ[.rbQ|X,y0)pb? l^@7iع2)FxRؾ?#|[ҕg?דߙeVŬ] b!VO1]'-K{& V梱HU; m rfY}PB;&ҭu)S,s=ns x,nMRIש<Gr>Q_msh;{ªY:r(n6pb'5aΊ3Fn\~-\HJ\?ϖh{5r:O,3n7yXAd1ۋZLfb6-sc`(ess\ 9_ و<h&#њkvI<Ύ$1׊n*QсS9 - xv_W|x(K*J E&҃4߆o4WS6b[i"]C ZG h-zzBڈ{Oh5@%N&b'LW?aRg:r#sdPuNY\.r(?qɏ)w"V1B5r)fL<])no~?) 5xט7yï!b/}9yMӃ+3MӇ貘Mmۄ?w/o=H4Nbmg 9Ҏu}G9^0ŁiNeqIŸwBm|n? gSWzckD]g]|MQdE`[WbY J$P˩ȷ9Sݜ[ :;w.83]0GBz^5"߬31Fg!1|-&|)֙{Grq#<ԳQ3CBOLo3cFQfWHOhjfѬGq)l&$gv(GI\1Œ7͌X`&SU 옠8}ߪ:k臸t&ܦx݁;6}uĈjqLzk`]^OA 9S^MMAu 9p6G3:wؙTY LL@W̦zsnƹzlh~<#07a@.k,Zh/ݞGkģnɣs[^w=?w^np=rn 9v-+K,=mi:qN橺O@ܧul$YI}*٫vr8|ɩ@`S^JnPፈXffP\IQ]UMLhuԏWiNQW-I\N:C6F"[`LsTs6ݭ>sz@^ S=LGbg~Z*dOZU翎uLC)h(;[m2J1JZek&kl8\gM2J^b<ji =ܬZz7:f~PP3?*e+s>ia X`W=**;Vj>0yΘ"pFᴋsqL7qwU9=goz)E^5~p߀Kl)r\)/_|r,w07 !qՇϮ#&@'20ŋ'6/DىG5-% E^`P5j0ǰpr=u-w:XfG<  bX(Z   )0kClip (MS_ClipArt_Gallery.20,Microsofs New RomanArialVerdana FireballMicrosoft Clip Gallery.Falling Dominos Lotus Notes & Domino Security Contents:What is Lotus Notes?How big is Lotus Notes?Who Uses Notes?Why they use NotesDomino Internet DistributionClient Platform SupportServer Platform SupportWe will demonstrate'Introduction to Notes VulnerabilitiesCommon Notes Security ProblemsAccess Control ListsCommon ACL problems)Common Default (misconfigured) Databases Names.nsf Catalog.nsf Domcfg.nsfLog.nsfNotes Server ID fileNotes DatabasesStored Form Method Stored FormsStored Form MethodDemonstrationStored Form AttacksExecution Control Lists Common ECL Problems Removing the ECL ECL AttackDemonstrationNotes Design Elements ECL Attacks ECL Attacks Live Demo ConclusionRecommendationHTTP Password HashNotes User ID fileNotes User ID fileLotus Notes ClientNotes Identity TheftDemonstration ConclusionSummaryRecommendationsRecommendationsFor More Information  Fonts UsedDesign TemplateEmbedded OLE Servers Slide Titles0 6> _PID_GUIDAN{9AD0B2C0-6612-11D4-9E96-444553540000}Root EntrydO)8p6V Pictures>SCurrent User+SummaryInformation(  !"#$%&'()*+,-.#_g Jason WittyackerOh+'0x4P d p |  0Falling Dominos - Lotus Notes & Domino Security7Lotus Notes & Domino Security presentation at DEFCON-84Trust Factory BV & Security Design International BVkLotus Notes Domino Security Password Hash ECL ACL Stored Forms Trust Factory SecuritRoot EntrydO){Qh  Pictures>SCurrent User+SummaryInformation(  !"#$%&'()*+,-.#_g Jason WittyackerOh+'0x4P d p |  0Falling Dominos - Lotus Notes & Domino Security7Lotus Notes & Domino Security presentation at DEFCON-84Trust Factory BV & Security Design International BVkLotus Notes Domino Security Password Hash ECL ACL Stored Forms Trust Factory SecuritnSummaryRecommendationsRecommendationsFor More Information  Fonts UsedDesign TemplateEmbedded OLE Servers Slide Titles0 6> _PID_GUIDAN{9AD0B2C0-6612-11D4-9E96-444553540000}Root EntrydO)\G Pictures>SCurrent User+SummaryInformation(t Clip Gallery0wClip (MS_ClipArt_Gallery.20,Microsoft Clip Gallery0 yClip (MS_ClipArt_Gallery.20,Microsoft Clip Gallery/ 0DTimes New Roman0ԳԳ~0DArialNew Roman0ԳԳ~0" DVerdanaw Roman0ԳԳ~0"  @n?" dd@  @@`` L ++%  "  #$   *&,/).0!'01-   ("2?2$V*u'BZ,O   !"#$%&'()*+,-.#_g Jason WittyackerOh+'0x4P d p |  0Falling Dominos - Lotus Notes & Domino Security7Lotus Notes & Domino Security presentation at DEFCON-84Trust Factory BV & Security Design International BVkLotus Notes Domino Security Password Hash ECL ACL Stored Forms Trust Factory Securit  !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~$b$#&;rle{H c 1?@8z{g46d6d~0سf ppp@  <4!d!d <4BdBdx g4(d(d~0سp p-~___PPT9`/ 0DV,?&-July 2000O =L-Falling Dominos Lotus NoPowerPoint Document(*hDocumentSummaryInformation8ltes & Domino Security&. < Chris Goggans Patrick Guenther Kevin McPeake Wouter Aukema$;=6  Contents:kIntroduction to Lotus Notes Access Control Lists Execution Control Lists Identity Theft Recommendations Q&AD8What is Lotus Notes?Secure Groupware Platform Email, Application, Web & Database connectivity services Application Development Platform @Formula language, LotusScript, Javascript, Java, C/C++ APIL9"<9"<,  3'How big is Lotus Notes?@Over 60 million corporate users Majority on 4.6 Minority on 5.0&! ! 2&Who Uses Notes?qUtilities Power Companies Telcos Multinationals Manufacturing Pharmaceuticals Petrochemical Defense Contractors^ @ ?$P cGovernment Legislature Military Intelligence Agencies Finance Law Firms Accounting Banks Insurance` n,nn%n *%6*Why they use NotesSecurity Features Public Key Infrastructure Authentication Encryption Access control levels Server Database Document Field Meets DMS requirementsZZZZZZ 4(Domino Internet Distribution^.com 17,799 .net 2,205 .org 1,388 .gov 81 .mil 19 .uk 1312 data courtesy www.netcraft.co.uk0<#<"P# Client Platform SupportARelease 4: Win95 Win98 WinNT Win2000 Macintosh Sun Solaris OS/2& 7 7 0Release 5: Win95 Win98 WinNT Win2000 Macintosh 6 % % Server Platform SupportDRelease 4: Windows 95,98,NT Netware Solaris HPUX AIX OS/390-400 OS/2& : : BRelease 5: Windows 95,98,NT,2000 Solaris HPUX AIX OS/390-400 Linux& 8 8=RFWe will demonstrate.New Security Vulnerabilities Execution Control Lists Password hash attack (HTTP & ID File) These attacks can be used to gain complete control of a Domino / Notes network within minutes by assuming various valid user identities on the network, and obfuscating an attacker s tracks6>>r_&Introduction to Notes Vulnerabilities&  XCategorization Vandalism Theft Fraud Information Warfare We will concentrate on InfoWar6++X  G;Common Notes Security Problems#1 Security problem - Misconfiguration and / or default installation security settings are used ACL Names & Address book (Domino Directory) settings Server ID passwords ECL Several security advisories already availableB`M._M.MAAccess Control ListsTo restrict access to Notes databases, access control lists are used Many Notes servers are installed with default settings, which are insecure and allow people to read and modify most databasesNBCommon ACL problemswww.example.com/?Open Allows full Database browsing www.example.com/database.nsf?OpenDatabase Allows bypassing of default database views www.example.com/database.nsf/$DEFAULTNAV?OpenNavigator Allows bypassing of database navigator settings*,70*,70  PM E 1H<(Common Default (misconfigured) DatabasesUnames.nsf Lotus Notes names and address book catalog.nsf Directory of available databases domcfg.nsf Domino configuration log.nsf Errors and event log webadmin.nsf Remote Web-based administration of the Domino server setup.nsf & setupweb.nsf Setup configuration / installation databases by default, users are managers of their own mail files2 # !  5-7 # !    5-7+!;dI= Names.nsfHTTP password hash is often viewable ID files still attached to person documents Database does not contain an Anonymous entry in ACL Provides a base blueprint of the existing Notes InfrastructureJ> Catalog.nsfqContains a complete catalog of every database on each server Often does not contain an Anonymous Entry in the ACLK? Domcfg.nsf$The Domino Configuration database used in the installation & configuration of a Domino Web server Often contains Manager access entry for Default user in the ACL and does not contain an entry for Anonymous L@Log.nsfOften the ACL is incorrectly set, allowing for Web users to view all relevant information to the operation of a Domino server Can be overwritten with erroneous data, allowing an attack to cover his/her trackshNotes Server ID fileTo allow auto-restart of Notes servers, the SERVER.ID file is actually recommended to not be password protected If host level security allows this file to be retrieved, it can be used locally from a client to unlock any databasenNotes DatabasesData Structured data RichText (attachments, actions, etc.) HTML (Java / JavaScript) Forms Rendering data Programmable Events Stored Forms Database Object with Form Can be sent over SMTPZPZZ$Z Z0Z$ 0  , * jjYStored Form MethodReported back in 1996 Oliver Buerger, Germany Der Spiegel (11-03-1996, page 220-222) Lotus responds with the ECL in R4.5 4 Years later, in 2000 Very few have the ECL setup correctly Almost everyone allows Stored Forms^cJ$%J, OC Stored FormsAny Notes document or database can have embedded LotusScript through the use of  Stored Forms LotusScript provides a means to do almost anything to the Notes client executing it By default, stored forms are allowed on all mail databases,0 " #Stored Form MethodcDesign a form that launches a payload, and/or: With QueryOpen event, no user interaction required!6/4/45 &xd Demonstration&Stored Form AttacksObservations No user interaction was required No warnings presented before execution Because ECL was not properly configured Tighten up the ECL Disable Stored Forms V q( q'PDExecution Control Lists To combat the problem with stored forms Lotus implemented Execution Control Lists in version 4.5 ECL s allowed users and administrators to activate controls on what  foreign code could be executed depending on Notes  Signatures Trusted Signature Which functions to allow Default for Signatures not specified in ECL No Signature for unsigned code n$ n$  aQECommon ECL ProblemsDVery Few Administrators and Users understand ECL concepts ECL settings are stored in obscure location Until release 5.0.2- default settings allowed  WORLD access Removing the ECL2 undocumented ways to reset an ECL @RefreshECL (  :   ,   ) Remove ECLSetup = 3 from notes.ini&$@$@6&  ' ECL AttackFNotes API calls are not Intercepted by the ECL OLE/COM uses Notes APIlZ DemonstrationiNotes Design ElementsDesign elements have  fixed note-ids for databases that share the same template version forms, views, agents, database scripts When accessed as regular Notes documents, they are modifiable The stored forms attribute is designated as a lowercase  f in the $FLAGS field of the Icon for each database For the mail file in a R5.03 client, the note-id for Icon doc = 2A2 dbScript = 1C6PY'Y',g( ECL AttacksObservations ECL s do not intercept API calls Payloads execute on full behalf of the Notes user Notes client is not being used *ZuZu  )  ECL AttacksRecommendations OLE: Remove from Registry Notes.NotesSession Notes.NotesUIWorkspace Press F5 prior to launching attachments Use the Internal Notes ViewerVZZ+ZGZ+G,0 G Live Demo@F5 doesn t do what you think& (!`R Conclusion   /Observations Once an API program has acquired access, it remains cached The User ID sharing is a flag in the Notes Memory Process Vulnerability The flag can be changed from an external program. F5 limited to the Notes client only Note API programs can only access what the Notes Client accessed before. ZuZZWZZDZ uWD  /  p]Recommendation  8Instead of using F5 or auto-lock, kill your notes client8  ~gHTTP Password HashLotus HTTP passwords are based on a modified RC4 implementation HTTP passwords are not salted 355E98E7C7B59BD810ED845AD0FD2FC4 = password 06E0A50B579AD2CD5FFDC48564627EE7 = secret CD2D90E8E00D8A2A63A81F531EA8A9A3 = lotus Basic dictionary-based password guessing programs are possiblej_?_    ?cUNotes User ID file  rDelivers: Authentication Access Control Non Repudiation & Integrity Digital Signature Confidentiality Encryption ZZZZZZ Z  $g    ^PNotes User ID file  Contains: Encrypted Private and Public Key User Information Expiration Date Integrity Control Used by: Lotus Notes Client Lotus Domino Server Notes API based programsb TP @Z S@  Lotus Notes ClientID file related features: Blocks brute-force attacks Digest checked in server NAB Auto logoff & F5-based lockout User ID sharing (API-programs)2vgaSNotes Identity Theft  Within your Organization At your own workstation Within your Notes network Outside your Organization With your web browser Through hostile codef2+2+   |f DemonstrationdV Conclusion   F5 does not clear your private information Because the ID file and its password hash are available, your ID file can be validated, Without its password By other people XZ% ZZ,:%  bTSummary  Password Hash Can be found in the Notes NAB With a Notes Client With a Browser Resides in the Notes Process Memory User ID File Can be found: On the local workstation On shared drives In the Domino Directory (Names & Addressbook)ZZ#Z$ZZZXZ#$  X  ubRecommendationsdRestrict access from the Web Don t store User IDs in NAB Choose Different Passwords for ID and HTTP account Store User ID file on removable media Use strong password hash (Lotus) Manually upgrade to the stronger hash (Lotus) Exit Notes completely when leaving your desk Never click on ANY email attachmentsLx.xRx.Q}eRecommendationsEnforce ACLs on ALL databases Restrict anonymous browsing on all default databases Disable stored forms on mail databases Enforce strong ECLs on all unsigned and untrusted documents Ensure strong host-level security on all Notes servers>| BjFor More InformationJhttp://www.trust-factory.com http://www.sdi-group.com http://www.lotus.comr$gy Design InternationalEThis was the joint presentation made by Chris Goggans , Kevin McPeake , Patrick Guenther , Wouter Aukema - at DEFCON 8 on July 29, 2000. This presentation covers security vulnerabilities and misconfigurations of Lotus Notes & DominoaNC:\Program Files\Microsoft Office\Templates\Presentation Designs\FIREBALL.POTMc Jason Witty48o@pk@e8X@ @GP՜.+,D՜.+,$, 4 <D LT\d l On-screen ShowKevin McPeake & Chris Goggansn1Trust Factory BV & Security Design InternationalatihZ01 5Time