|
Vulnerability Lotus Notes Affected Lotus Notes Description Chris Jones found following. Due to the design flaws of Lotus Notes databases, a user with sufficient knowledge can craft a Lotus Notes Email in such a way that the recipient only has to open the email or view the email using the preview panes to become infected or to run the arbitrary code. The problem lies in Lotus Notes ability to allow developers to create forms that do not rely on a specific template in a database (like normal emails) but instead uses its own in built templates that travel within the document. Using these methods an experienced Lotus Notes developer could create an email enabled worm specifically for Lotus Notes networks which could do anything from delete a few files to granting ACL rights to the persons mail box (so all emails could be viewed) to retrieving the users cached passwords or similar information. Another key point that allows this exploit to occur is that the design of the mailbox database has by default been allowed to accept stored forms. To generate the email a malicious user will need to modify the default 'memo' form's design - which does require a developer's edition of Lotus Notes. The malicious user then has to modify the forms' properties so the 'Store form in Document' action is checked. The malicious user then has a choice he could insert code into the forms 'PostOpen' event, which requires Lotus Script programming knowledge or he can go the easy method and modify the forms 'Launch' properties which allows you to launch the first document attachment when opened which could be absolutely anything. Chris tested this exploit out using Lotus Notes version 4.6 but any version of Lotus Notes 4 should be affected. In his experiment he was able to gain manager access to someone else's Email Box using 4 Lines of Lotus Script code. Using Lotus Script you can even change the source address of the email to fool the user into believing that the infected email came from a trusted source. You could even go so far as to code the email so it looks at the target's mailbox and creates a duplicate document of his most recent email, so it looks as some other user has sent him two copies of the same email. You could litterly copy/paste the mellisa virus code into the postopen even and it would act the same way the virus did with Outlook/Exchange since the development environment is mimicked after VBA. Solution There is a very quick and very easy method of disabling this feature and that is to modify the mailbox database properties so that the 'Allow stored forms' is unchecked. This will stop any forms of this attack. Lotus Notes has a security protection measure called ECL - Execution Control List. Basically, every executable design element (form, agent, database etc) in Lotus Notes has a signature on it. The signature tells Notes about the last person who changed this design element. The ECL determines whether the signer of the code is allowed to have its code run on a given workstation, and defines the extent to which the code has access to various workstation functions and is gated by the workstation security ECL. Basically, in example above Chris did not have ECL configured. Lotus response to this issue is: http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/89e023ae7ee59e5d852569f90059fd5e?OpenDocument