1. No category

Falling Domino`s

TRUST FACTORY
Trust
but
Verify
Falling Domino’s
R.K. McPeake
W. Aukema
TRUST FACTORY
Trust
Agenda
but
Verify
Minutes:
• Introduction
• Lotus Notes Security 1
• Break
• Lotus Notes Security 2
• Conclusions &
Recommendations
Black Hat
Windows 2000
Security
February
2001
Slide 2
Speaker:
5
Kevin
40
Kevin
5
45
10
Wouter
Kevin & Wouter
TRUST FACTORY
Trust
General Introduction
but
Verify
• Trust, but Verify
• DEFCON-8, July 31, Las Vegas
• Full Disclosure vs. Limited Disclosure
• SDI, Inc. - our trusted 3rd party validater
Black Hat
Windows 2000
Security
February
2001
Slide 3
TRUST FACTORY
Trust
General Introduction
but
Verify
• Crucial Facts - Lotus left them out
• Domino & Notes - under further scrutiny
• Our Future
Black Hat
Windows 2000
Security
February
2001
Slide 4
TRUST FACTORY
Trust
Intro Lotus Notes
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 5
TRUST FACTORY
Trust
What is Lotus Notes?
but
Verify
• Secure Groupware Platform
» Email, Application, Web & Database
connectivity services
• Application Development Platform
» @Formula language, LotusScript,
Javascript, Java, C/C++ API
Black Hat
Windows 2000
Security
February
2001
Slide 6
TRUST FACTORY
Trust
How big is Lotus Notes?
but
Verify
• Over 60 million corporate users
» Major Releases: 4.5-, 4.6-, 5.0-
Black Hat
Windows 2000
Security
February
2001
Slide 7
TRUST FACTORY
Trust
Who Uses Notes?
but
Verify
• Government
» Legislature
» Military
» Intelligence
Agencies
• Multinationals
Black Hat
Windows 2000
Security
February
2001
Slide 8
»
»
»
»
Manufacturing
Pharmaceuticals
Petrochemical
Defense
Contractors
• Utilities
» Power
Companies
» Telcos
• Finance
» Accounting
» Banks
» Insurance
• Others
» Law Firms
TRUST FACTORY
Trust
Why people use Notes
but
Verify
• Security Features
• Public Key Infrastructure
» Authentication
» Encryption
• Access control levels
» Server, Database
» Document, Field
Black Hat
Windows 2000
Security
February
2001
Slide 9
• Reputation
• Extremely few vulnerabilities
TRUST FACTORY
Trust
but
Verify
Client Platform Support
• Release 4:
»
»
»
»
»
Win95
Win98
WinNT
Win2000
Macintosh
» Sun Solaris
» OS/2
Black Hat
Windows 2000
Security
February
2001
Slide 10
• Release 5:
»
»
»
»
»
Win95
Win98
WinNT
Win2000
Macintosh
XXX
XXX
» Sun Solaris
» OS/2
TRUST FACTORY
Trust
but
Verify
Server Platform Support
• Release 4:
»
»
»
»
»
»
»
Black Hat
Windows 2000
Security
February
2001
Slide 11
Windows 95,98,NT
Netware
Solaris
HPUX
AIX
OS/390-400
OS/2
• Release 5:
»
»
»
»
»
»
»
»
Windows 95,98,NT,2000
Netware
Solaris
HPUX
AIX
OS/390-400
OS/2
Linux
XXX
XXX
TRUST FACTORY
Trust
but
Verify
Lotus Notes Security
• Part - I - Kevin
•1
•2
•3
•4
-
Access Control Lists
Server ID-files and passwords
HTTP Server
Names & Address Book
• Part - II - Wouter
Black Hat
Windows 2000
Security
February
2001
Slide 12
•5
•6
•7
•8
-
Stored Forms
Execution Control List
Password Hashing
ID-file Validation
TRUST FACTORY
Trust
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 13
Security Issues - I
TRUST FACTORY
Trust
but
Verify
1 - ACL Issues
• Access Control Lists = ACL
• Purpose
» To restrict access to Notes databases
• Issue
Black Hat
Windows 2000
Security
February
2001
Slide 14
» Default settings are insecure and allow
people to read (& sometimes modify)
databases
TRUST FACTORY
Trust
but
Verify
1 - ACL Issues
• names.nsf
Blueprint Notes
Infrastructure
• catalog.nsf
Lists all Notes Databases
• domcfg.nsf
Setup / Config of Webserver
• log.nsf
Black Hat
Windows 2000
Security
February
2001
Slide 15
Monitoring
Server/User/Agent Activity
• and more...
• Browse Setup &
User Accounts
• Browse ACL’s &
File-locations
• Create Virtual
Servers/Re-directs
• Browse User &
Server Activity
TRUST FACTORY
Trust
but
Verify
2 - Server ID Issues
• SERVER.ID Files
• Purpose
» Server Identity
• Issue
Black Hat
Windows 2000
Security
February
2001
Slide 16
» To allow auto-restart of Notes servers,
absence of password is recommended.
TRUST FACTORY
Trust
but
Verify
2 - Server-ID Issues
• With stolen ID-file, one can:
• Open databases from that server
• Access other servers
• Create a new “fake” server
Black Hat
Windows 2000
Security
February
2001
Slide 17
TRUST FACTORY
Trust
but
Verify
3 - HTTP Server Issues
• Using URL Syntax
• Http://www.example.com/ +
» ?open - Allows full database browsing
» database.nsf/$DefaultNav?OpenNavigator
» .nsf/../xxx - results in files being served
» /view/$readviewentries
Black Hat
Windows 2000
Security
February
2001
Slide 18
• Using HTML Syntax
• Saving & modifying html-source allow upload of
unwanted content
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Names and Address Book
• User ID’s stored with person document
• HTTP-Username + Password viewable by
all internal users
Black Hat
Windows 2000
Security
February
2001
Slide 19
• HTTP password = ID-file password
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Catalog Database
Black Hat
Windows 2000
Security
February
2001
Slide 20
• Stores a full listing of all databases
• Stores current ACL information for each
database
• Complete with full file paths for each DB
• Various DB properties also stored
• Domain Indexer Properties
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Log Database
Black Hat
Windows 2000
Security
February
2001
Slide 21
• Database Pathname
• who’s got Manager rights in the ACL
• Usage information
• Server Console Log - how often is it
used?
• Routing information
• Replication information
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Administration Requests Database
• A centralized “crontab” for Notes events
• Server performs task on behalf of Admin
Black Hat
Windows 2000
Security
February
2001
Slide 22
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Statistics & Events Database
Black Hat
Windows 2000
Security
February
2001
Slide 23
• The “watchdog” for any Domino server
• Watches for “events” and sends
notifcations to Admins when a ‘set’ status
is obtained / triggered
• An event can be a ‘threshold, TCP probe,
ACL change, etc.’
TRUST FACTORY
Trust
but
Verify
4 - Database Issues
• Other Databases
• In Domino R5.x - 58 possible default
Databases
• Many do not have proper default ACL’s
Black Hat
Windows 2000
Security
February
2001
Slide 24
• Most provide valuable information to an
attacker, if exposed
TRUST FACTORY
Trust
but
Verify
Footprinting a Domino server
A little Demonstration… ;-)
Black Hat
Windows 2000
Security
February
2001
Slide 25
TRUST FACTORY
Trust
but
Verify
Agenda
Minutes:
• Introduction
• Lotus Notes Security 1
• Break
• Lotus Notes Security 2
• Conclusions &
Recommendations
Black Hat
Windows 2000
Security
February
2001
Slide 26
Speaker:
5
Kevin
40
Kevin
5
45
10
Wouter
Kevin & Wouter
TRUST FACTORY
Trust
but
Verify
Agenda
Minutes:
• Introduction
• Lotus Notes Security 1
• Break
• Lotus Notes Security 2
• Conclusions &
Recommendations
Black Hat
Windows 2000
Security
February
2001
Slide 27
Speaker:
5
Kevin
40
Kevin
5
45
10
Wouter
Kevin & Wouter
TRUST FACTORY
Trust
but
Verify
Issues - 6
• Notes Database Structure
• Data
» Structured data
» RichText (attachments, actions, etc.)
» HTML (Java / JavaScript)
• Forms
» Rendering data
» Programmable Events
Black Hat
Windows 2000
Security
February
2001
Slide 28
• Stored Forms
» Database Object with Form
TRUST FACTORY
Trust
but
Verify
Stored Forms Issues
• Background
• Reported back in 1996
» Oliver Buerger, Germany
» Der Spiegel (11-03-1996, page 220-222)
» Lotus responds with the ECL in R4.5
• 4 Years later, in 2000
Black Hat
Windows 2000
Security
February
2001
Slide 29
» Very few have the ECL setup correctly
» Almost everyone allows Stored Forms
TRUST FACTORY
Trust
but
Verify
Stored Forms Issues
• Purpose
» Workflow Applications
» Client Administration
• Issues
» Enabled by default in every database
» In QueryOpen event, no user interaction
» Transmitted over SMTP
Black Hat
Windows 2000
Security
February
2001
Slide 30
TRUST FACTORY
Trust
but
Verify
Stored Forms Issues
Demonstration
Black Hat
Windows 2000
Security
February
2001
Slide 31
TRUST FACTORY
Trust
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 32
Our Research
TRUST FACTORY
Trust
but
Verify
Our Research
• Background
• Published at DEFCON-8, Las Vegas
• Ethical Disclosure
• Much Exposure, but
• Missing Crucial Details
Black Hat
Windows 2000
Security
February
2001
Slide 33
TRUST FACTORY
Trust
but
Verify
Our Research
• What we will discuss
• Design Elements
• Bypassing the ECL
• Unclear User Preferences
• Password hash
• Validating ID-files
Black Hat
Windows 2000
Security
February
2001
Slide 34
TRUST FACTORY
Trust
but
Verify
Notes Design Elements
• Design Elements
» Stored in obscure locations within db
» Can be Modified with Editor access
» Accessible as regular Notes Documents
• Example
Black Hat
Windows 2000
Security
February
2001
Slide 35
» Stored Form enabled via ‘f’ in $Flags item
of an Icon document in mail db
» For mail based on mail50.ntf template ,
the note-id for...
Icon doc = 10E
DbScript = 276
TRUST FACTORY
Trust
but
Verify
Execution Control Lists
• Introduced with Release 4.5, to combat
the problem with stored forms
• Controls what “foreign” code can be
executed depending on Notes
“Signatures”
» Trusted Signature: Which functions to allow
Black Hat
Windows 2000
Security
February
2001
Slide 36
» Default: for Signatures not specified in ECL
» No Signature: for unsigned code
TRUST FACTORY
Trust
but
Verify
Execution Control List
• ECL
• Purpose
» To restrict execution of untrusted code at
Notes client
• Issue
» R4 till R5.01: Default settings allows
execution of untrusted & unsigned code
Black Hat
Windows 2000
Security
February
2001
Slide 37
TRUST FACTORY
Trust
but
Verify
ECL Issues
• Execution of Malicious Code
• Melissa
• LoveBug
Black Hat
Windows 2000
Security
February
2001
Slide 38
TRUST FACTORY
Trust
but
Verify
Execution Control Lists
• Common ECL Problems
» Very Few Administrators and Users
understand ECL concepts
» ECL settings are stored in obscure location
» Until release 5.0.2- default settings allow
“WORLD” access
Black Hat
Windows 2000
Security
February
2001
Slide 39
TRUST FACTORY
Trust
but
Verify
Execution Control Lists
• We noticed two ways to reset the
ECL of a Notes client
• @RefreshECL (“” : “” ; “”)
• Remove ECLSetup = 3 from notes.ini
Black Hat
Windows 2000
Security
February
2001
Slide 40
TRUST FACTORY
Trust
but
Verify
Execution Control Lists
• We noticed that
• Notes API calls are not Intercepted by
the ECL
• OLE/COM uses Notes API
Black Hat
Windows 2000
Security
February
2001
Slide 41
TRUST FACTORY
Trust
but
Verify
Execution Control Lists
Demonstration
Black Hat
Windows 2000
Security
February
2001
Slide 42
TRUST FACTORY
Trust
but
Verify
Unclear User Preferences
• F5 doesn’t always do what you think…
• Especially when
sharing that User ID …
Black Hat
Windows 2000
Security
February
2001
Slide 43
TRUST FACTORY
Trust
but
Verify
Unclear User Preferences
Demonstration
Black Hat
Windows 2000
Security
February
2001
Slide 44
TRUST FACTORY
Trust
but
Verify
Unclear User Preferences
• Observations
• Once API program has acquired access, password
remains cached
• User ID sharing is a flag in Notes Memory Process
• Vulnerability
• Flag can be changed from external program
• F5 limited to Notes client only
Black Hat
Windows 2000
Security
February
2001
Slide 45
Note: API program can only access what Notes Client has accessed before.
TRUST FACTORY
Trust
but
Verify
HTTP Password Hash
• Based on modified RC4 implementation
• HTTP passwords not salted
= “password”
06E0A50B579AD2CD5FFDC48564627EE7 = “secret”
CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”
» 355E98E7C7B59BD810ED845AD0FD2FC4
»
»
• Brute force/dictionary-attacks are possible
Black Hat
Windows 2000
Security
February
2001
Slide 46
TRUST FACTORY
Trust
but
Verify
HTTP Password Hash
Demonstration
Black Hat
Windows 2000
Security
February
2001
Slide 47
TRUST FACTORY
Trust
but
Verify
Notes User ID file
• Delivers:
• Authentication
» Access Control
• Non Repudiation & Integrity
» Digital Signature
Black Hat
Windows 2000
Security
February
2001
Slide 48
• Confidentiality
» Encryption
TRUST FACTORY
Trust
but
Verify
Notes User ID file
• Contains:
» Encrypted Private and Public Key
» User Information
» Expiration Date
» Integrity Control
• Used by:
Black Hat
Windows 2000
Security
February
2001
Slide 49
» Notes Client
» Domino Server
» API based programs
TRUST FACTORY
Trust
but
Verify
Notes User ID file
• Notes Client Features:
» Blocks brute-force attacks
» Digest checked in server NAB
» Auto logoff & F5-based lockout
» User ID sharing (API-programs)
Black Hat
Windows 2000
Security
February
2001
Slide 50
TRUST FACTORY
Trust
but
Verify
Notes User ID file
• Identity Theft can occur from:
• Inside your Network
• Outside your Organization
Black Hat
Windows 2000
Security
February
2001
Slide 51
TRUST FACTORY
Trust
but
Verify
Notes User ID file
Demonstration
Black Hat
Windows 2000
Security
February
2001
Slide 52
TRUST FACTORY
Trust
but
Verify
Agenda
Minutes:
• Introduction
• Lotus Notes Security 1
• Break
• Lotus Notes Security 2
• Conclusions &
Recommendations
Black Hat
Windows 2000
Security
February
2001
Slide 53
Speaker:
5
Kevin
40
Kevin
5
45
10
Wouter
Kevin & Wouter
TRUST FACTORY
Trust
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 54
Conclusions
TRUST FACTORY
Trust
but
Verify
Conclusions
• Multiple Vulnerabilities exist
• At All Levels in the Notes / Domino
Environment
• Causing Serious Threats
Black Hat
Windows 2000
Security
February
2001
Slide 55
» Vandalism
» Theft
» Fraud
» Warfare
TRUST FACTORY
Trust
but
Verify
Conclusions
• Domino Server Security
• URL syntax
» Viewing unintended content
» Uploading content
• Server ID file
» No password recommended
Black Hat
Windows 2000
Security
February
2001
Slide 56
TRUST FACTORY
Trust
but
Verify
Conclusions
• Workstation Security
• Execution of Malicious Code
» Stored Forms
» Two ways to reset ECL
» Bypass ECL with OLE/API calls
Black Hat
Windows 2000
Security
February
2001
Slide 57
• Continuing a Locked Session
» With API programs (NotesPeek)
» Resetting Sharing Flag
TRUST FACTORY
Trust
but
Verify
Conclusions
• Database Security
• Design Elements
» Accessible as Notes Documents
» Editor Access to Modify/Corrupt
• Names & Address Book
Black Hat
Windows 2000
Security
February
2001
Slide 58
» ECL settings in obscure locations
» http-hashes and other sensative data
viewable by all internal users
» ID files downloadable
TRUST FACTORY
Trust
but
Verify
Conclusions
• ID File Security
• ID ’s can be obtained
» Download from Names&Address Book
» With malicious code / email
» From workstation local/network drive
• ID ’s can be validated
Black Hat
Windows 2000
Security
February
2001
Slide 59
» With http-password hash
» During active/cleared session
TRUST FACTORY
Trust
but
Verify
Conclusions
• All vulnerabilities shown today can be
dealt with, except for one.
• Notes/Domino is still a very secure
platform.
Black Hat
Windows 2000
Security
February
2001
Slide 60
TRUST FACTORY
Trust
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 61
Recommendations
TRUST FACTORY
Trust
but
Verify
Recommendations
• Restrict access from the Web
• Don’t store User IDs in NAB
• Choose Different Passwords for ID and HTTP account
• Store User ID file on removable media
• Use strong password hash (Lotus)
» Manually upgrade to the stronger hash (Lotus)
• Exit Notes completely when leaving your desk
• Never click on ANY email attachments
Black Hat
Windows 2000
Security
February
2001
Slide 62
TRUST FACTORY
Trust
but
Verify
Recommendations
• Enforce ACLs on ALL databases
• Restrict anonymous browsing on all default databases
• Disable stored forms on mail databases
• Enforce strong ECLs on all unsigned and untrusted
documents
• Ensure strong host-level security on all Notes servers
Black Hat
Windows 2000
Security
February
2001
Slide 63
TRUST FACTORY
Trust
but
Verify
Recommendations
• Look at Lotus
• Domino offers many security features: USE THEM
• Check the SecurityZone on their website
• Stay informed
• Take Action
• Assess your level of security
• Acquire Third Party Validation for your
implementation
Black Hat
Windows 2000
Security
February
2001
Slide 64
TRUST FACTORY
Trust
but
Verify
For More Information
• Web
• http://www.trust-factory.com
• http://www.sdi-group.com
• http://www.lotus.com
Black Hat
Windows 2000
Security
February
2001
Slide 65
TRUST FACTORY
Trust
but
Verify
Black Hat
Windows 2000
Security
February
2001
Slide 66
Q&A
TRUST FACTORY
Trust
but
Verify
Contact Details
Trust Factory B.V.
Bazarstraat 44-a
2518 AK The Hague
The Netherlands
+31 70 362 0684
[email protected]
Black Hat
Windows 2000
Security
February
2001
Slide 67

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz