|
COMMAND Lotus Domino web server allows anonymous access to .ntf files SYSTEMS AFFECTED Domino 5.0.8 and previous PROBLEM NISR have discovered a feature of Domino\'s web server that allows an anonymous user to access the Web Administrator template file (webadmin.ntf) and use some of its functionality. Normally webadmin.ntf should not be accessible and as such this poses a high security threat to systems running Lotus Domino. Details ******* Lotus Notes Databases can have one of several file extensions such as .nsf, .ns4 or .box and when the Domino web server receives a client request it examines the request to decide if it is for a Notes database file. If it is Domino for looks for the file in the \\lotus\\domino\\data directory; if it is not Domino looks in another directory: \\lotus\\domino\\data\\domino\\html. Some Notes databases are derived from template files that have a .ntf file extension. These template files exist in the same directory as their .nsf children; However, making a request for a template file causes Domino to search in the latter directory, but as they exist in the former, the web server fails to find the file and returns a File Not Found (404) reply. Another way to make a request for a database resource is to use the database\'s ReplicaID. A ReplicaID is a 16 digit hexadecimal number that is use to track concurrent copies of the same database over different systems. It is therefore possible for a user to access a Notes database template file by making a request to the web server using the template\'s ReplicaID. Of all the templates only the Web Administrator template file seems to be dangerous. Anonymous users can read any text based file on the system that Domino has the permission to access as well as enumerate all databases on the system. If the Domino web service process is running as root or SYSTEM then an attacker would not be limited to the files they could access. This problem is further exacerbated by the fact that the webadmin.ntf ReplicaID is the same on every system running Domino meaning that once an attacker has the ReplicaID then they will be able to access the Web Administrator running on any Domino system. Update (05 February 2002) ====== Nicolas Gregoire added, auoted from the \"Hackproofing Lotus Domino Web Server\" doc : \"Another method of tricking Domino into opening the Web Administrator template is through the use of buffer truncation. By making the following request http://server/webadmin.ntf++++++_250_pluses+++++.nsf/ access to webadmin.ntf is granted. This works because Domino attempts to protect itself from buffer overrun attacks and chops a user request down to a safe size. In terms of events here\'s what happens. Domino receives the request and converts all the pluses to spaces and sees it has a .nsf file extention and therefore loads the database parser. The database parser chops the end off of the request, (thus removing the .nsf) to prevent any buffer overrun and then looks in the lotus\\domino\\data directory for the file, webadmin.ntf <space><space><space>.... which it finds and then opens. Thus again the attacker can use webadmin.ntf\'s functionality.\" SOLUTION The best course of action is to remove the Web Administrator template from the system. You should also consider removing the real Web Administrator, webadmin.nsf as if someone were to gain a vaild user ID and password for Domino then they will be able to perform undesirable actions against the system. Lotus were informed about this issue and, in their next release of Domino, version 5.0.9, will ensure that the permissions set on the webadmin.ntf file are such that anonymous access is prevented. For those worried about attempts to access the Web Administrator template file and wish to monitor potential attacks, you can get the ReplicaID of webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the Control, Shift and H keys down whilst you open the catalog. This key sequence causes the Notes client to show hidden views as well as visible. One of the hidden views, $ReplicaID contains the ReplicaID of every database and template on the system. A check for this problem already exists in DominoScan, NGSSoftware\'s Lotus Domino application security scanner, of which, more information is available from http://www.nextgenss.com/dominoscan.html . NISR have also written a white paper on how to secure Lotus Domino\'s web server available from http://www.nextgenss.com/papers.html