Re: Lotus Notes Stored Form Vulnerability

[Security Advisory <Security.Advisory () VMD DESJARDINS COM>]

I am not certain of the need to send the memo internally.
There is a mail distribution option that allows the user to indicate that
the
recipient is a notes user, thus packaging the email in 'Notes Rich Text'
format. I have successfully sent and accepted meeting invitations this
way, as well as verified that commonly shared custom 'letterheads'
would also follow, which means that at least some of the other fields
(as well as the ones needed to route the email) also get packaged-in.

Also, having or creating a 'dev' ID is hardly a problem.  One needs
only to be running one's own site to be free of creating any ID one wishes.
At first hand, and especially without having crafted an exploit to test
this, I would be one to be concerned about this possibility.
Would love more info.

Frank.






Derek Reynolds <dreynol () columbus rr com> le 02/09/2001 11:31:58 PM

Veuillez répondre à Derek Reynolds <dreynol () columbus rr com>

Pour :    BUGTRAQ () SECURITYFOCUS COM
Objet :   Re: Lotus Notes Stored Form Vulnerability



Yeah I can confirm this works.   I tested this awhile ago.  Used the
postopen event and utilized LotusScripts ability to access open APIs.
I successfully was able to remotely reboot a users computer, remove their
task bar among other things.

You could litterly copy/paste the mellisa virus code into the postopen
even and it would act the same way the virus did with
Outlook/Exchange since the development environment is mimicked after
VBA.

Again, this would have to be crafted by someone with a developer ID
and the memo would have to be sent internally.  Not near as big a threat.



--
Best regards,
 Derek                            mailto:dreynol () columbus rr com

Friday, February 09, 2001, 11:13:29 AM, you wrote:

CJ>
_________________________________________________________________________

CJ>   Security Advisory:    Lotus Notes Stored Form Vulnerability
CJ>   Date:                         8th February 2001
CJ>   Author:               Chris Jones (aka dp) dp () ic-crypt com
CJ>   Versions Affected:    At present only Lotus Notes v4.6 has been
tested
CJ>
_________________________________________________________________________


CJ> ----[ Exploit Introduction ] ------------------------------------------
CJ> Due to the design flaws of Lotus Notes databases, a user with
sufficient
knowledge can craft a Lotus Notes Email in such a way that the recipient
only
has to open the email or view the email
CJ> using the preview panes to become infected or to run the arbitrary
code.

CJ> The problem lies in Lotus Notes ability to allow developers to create
forms
that do not rely on a specific template in a database (like normal emails)
but
instead uses its own in built templates
CJ> that travel within the document. Using these methods an experienced
Lotus
Notes developer could create an email enabled worm specifically for Lotus
Notes
networks. Which could do anything from
CJ> delete a few files to granting ACL rights to the persons mail box (so
all
emails could be viewed) to retrieving the users cached passwords or similar
information. Another key point that allows
CJ> this exploit to occur is that the design of the mailbox database has by
default been allowed to accept stored forms.


CJ> ----[ Exploit Generation ]
---------------------------------------------
CJ> To generate the email a malicious user will need to modify the default
'memo' form's design - which does require a developer's edition of Lotus
Notes. The malicious user then has to modify the
CJ> forms' properties so the 'Store form in Document' action is checked.
The
malicious user then has a choice he could insert code into the forms
'PostOpen'
event, which requires Lotus Script
CJ> programming knowledge or he can go the easy method and modify the forms
'Launch' properties which allows you to launch the first document
attachment
when opened which could be absolutely anything.


CJ> ----[ Quick Fix ]
------------------------------------------------------
CJ> There is a very quick and very easy method of disabling this feature
and
that is to modify the mailbox database properties so that the 'Allow stored
forms' is unchecked. This will stop any forms
CJ> of this attack.


CJ> ----[ Platforms Tested ]
-----------------------------------------------
CJ> We tested this exploit out using Lotus Notes version 4.6 but any
version of
Lotus Notes 4 should be affected, as I am sure lower and higher versions
would
be as well. In our experiment I was able
CJ> to gain manager access to someone else's Email Box using 4 Lines of
Lotus
Script code.


CJ> ----[ Other Notes ]
----------------------------------------------------
CJ> Using Lotus Script you can even change the source address of the email
to
fool the user into believing that the infected email came from a trusted
source.
You could even go so far as to code the
CJ> email so it looks at the target's mailbox and creates a duplicate
document
of his most recent email, so it looks as some other user has sent him two
copies
of the same email.

CJ>
_________________________________________________________________________
CJ> -   www.progenic.com    -
CJ>
_________________________________________________________________________



CJ> _____________________________________________________________
CJ> IC-CRYPT.com - Enhancing Communications Since 1998