Vulnerability

    Lotus Notes

Affected

    Lotus Notes

Description

    Chris Jones  found following.   Due to  the design  flaws of Lotus
    Notes  databases,  a  user  with  sufficient knowledge can craft a
    Lotus Notes Email  in such a  way that the  recipient only has  to
    open  the  email  or  view  the  email  using the preview panes to
    become infected or to run the arbitrary code.

    The problem  lies in  Lotus Notes  ability to  allow developers to
    create forms that do not rely on a specific template in a database
    (like normal emails) but instead  uses its own in built  templates
    that  travel  within  the   document.   Using  these  methods   an
    experienced Lotus  Notes developer  could create  an email enabled
    worm specifically for Lotus Notes networks which could do anything
    from delete a few files to granting ACL rights to the persons mail
    box (so all emails could be viewed) to retrieving the users cached
    passwords or similar information.   Another key point that  allows
    this exploit to occur is  that the design of the  mailbox database
    has by default been allowed to accept stored forms.

    To generate  the email  a malicious  user will  need to modify the
    default 'memo' form's  design - which  does require a  developer's
    edition of  Lotus Notes.   The malicious  user then  has to modify
    the forms' properties  so the 'Store  form in Document'  action is
    checked.   The malicious  user then  has a  choice he could insert
    code into the forms 'PostOpen' event, which requires Lotus  Script
    programming knowledge or he can go the easy method and modify  the
    forms 'Launch'  properties which  allows you  to launch  the first
    document  attachment  when  opened   which  could  be   absolutely
    anything.

    Chris tested this  exploit out using  Lotus Notes version  4.6 but
    any  version  of  Lotus  Notes  4  should  be  affected.   In  his
    experiment he was  able to gain  manager access to  someone else's
    Email Box using 4 Lines of Lotus Script code.

    Using Lotus Script you can  even change the source address  of the
    email to  fool the  user into  believing that  the infected  email
    came from a trusted source.  You  could even go so far as to  code
    the  email  so  it  looks  at  the  target's mailbox and creates a
    duplicate document of his most  recent email, so it looks  as some
    other user has sent him two copies of the same email.

    You  could  litterly  copy/paste  the  mellisa virus code into the
    postopen even and  it would act  the same way  the virus did  with
    Outlook/Exchange  since  the  development  environment is mimicked
    after VBA.

Solution

    There  is  a  very  quick  and  very easy method of disabling this
    feature and that is to  modify the mailbox database properties  so
    that the 'Allow  stored forms' is  unchecked.  This  will stop any
    forms of this attack.

    Lotus  Notes  has  a  security  protection  measure  called  ECL -
    Execution  Control  List.   Basically,  every  executable   design
    element (form, agent, database etc) in Lotus Notes has a signature
    on  it.   The  signature  tells  Notes  about  the last person who
    changed  this  design  element.   The  ECL  determines whether the
    signer of  the code  is allowed  to have  its code  run on a given
    workstation, and defines the extent  to which the code has  access
    to various workstation functions  and is gated by  the workstation
    security ECL.  Basically, in example above Chris did not have  ECL
    configured.

    Lotus response to this issue is:

        http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/89e023ae7ee59e5d852569f90059fd5e?OpenDocument