COMMAND

	Lotus Domino web server allows anonymous access to .ntf files

SYSTEMS AFFECTED

	Domino 5.0.8 and previous

PROBLEM

	NISR have discovered a feature of Domino\'s web server  that  allows  an
	anonymous  user  to  access  the   Web   Administrator   template   file
	(webadmin.ntf) and use some of its functionality. Normally  webadmin.ntf
	should not be accessible and as such this poses a high  security  threat
	to systems running Lotus Domino.
	

	 Details

	 *******

	

	Lotus Notes Databases can have one of several file  extensions  such  as
	.nsf, .ns4 or .box and when the Domino  web  server  receives  a  client
	request it examines the request to decide if it is for a Notes  database
	file.  If   it   is   Domino   for   looks   for   the   file   in   the
	\\lotus\\domino\\data directory; if it is not Domino  looks  in  another
	directory:  \\lotus\\domino\\data\\domino\\html.  Some  Notes  databases
	are derived from template files that have a .ntf file  extension.  These
	template files exist in the  same  directory  as  their  .nsf  children;
	However, making a request for a template file causes  Domino  to  search
	in the latter directory, but as  they  exist  in  the  former,  the  web
	server fails to find the file and returns a File Not Found (404) reply.
	

	Another way to make a request for a database  resource  is  to  use  the
	database\'s ReplicaID. A ReplicaID is  a  16  digit  hexadecimal  number
	that is use to  track  concurrent  copies  of  the  same  database  over
	different systems. It is therefore possible  for  a  user  to  access  a
	Notes database template file by making  a  request  to  the  web  server
	using the template\'s ReplicaID. Of  all  the  templates  only  the  Web
	Administrator template file seems to be dangerous. Anonymous  users  can
	read any text based file on the system that Domino  has  the  permission
	to access as well as enumerate all  databases  on  the  system.  If  the
	Domino web service  process  is  running  as  root  or  SYSTEM  then  an
	attacker would not be limited to  the  files  they  could  access.  This
	problem is  further  exacerbated  by  the  fact  that  the  webadmin.ntf
	ReplicaID is the same on every system running Domino meaning  that  once
	an attacker has the ReplicaID then they will be able to access  the  Web
	Administrator running on any Domino system.
	

	Update (05 February 2002) ======
	

	Nicolas Gregoire added, auoted from the \"Hackproofing Lotus Domino  Web
	Server\" doc :
	

	\"Another method of tricking Domino into opening the  Web  Administrator
	template is  through  the  use  of  buffer  truncation.  By  making  the
	following request  http://server/webadmin.ntf++++++_250_pluses+++++.nsf/
	access to webadmin.ntf is granted. This works  because  Domino  attempts
	to protect itself from buffer overrun attacks and chops a  user  request
	down to a safe size. In terms of events  here\'s  what  happens.  Domino
	receives the request and converts all the pluses to spaces and  sees  it
	has a .nsf file extention and therefore loads the database  parser.  The
	database parser chops the end off of the  request,  (thus  removing  the
	.nsf)  to  prevent  any  buffer  overrun   and   then   looks   in   the
	lotus\\domino\\data    directory    for    the    file,     webadmin.ntf
	<space><space><space>.... which it finds and then  opens.  Thus
	again the attacker can use webadmin.ntf\'s functionality.\"

SOLUTION

	The best course of action is to remove the  Web  Administrator  template
	from the  system.  You  should  also  consider  removing  the  real  Web
	Administrator, webadmin.nsf as if someone were to gain a vaild  user  ID
	and password for Domino then they will be able  to  perform  undesirable
	actions against the system.
	

	Lotus were informed about this issue  and,  in  their  next  release  of
	Domino, version 5.0.9, will ensure  that  the  permissions  set  on  the
	webadmin.ntf file are such that anonymous access is prevented.
	

	For those  worried  about  attempts  to  access  the  Web  Administrator
	template file and wish to monitor potential attacks,  you  can  get  the
	ReplicaID of webadmin.ntf from the  Domino  Catalog,  catalog.nsf.  Hold
	the Control, Shift and H keys down whilst you  open  the  catalog.  This
	key sequence causes the Notes client to show hidden  views  as  well  as
	visible. One of the hidden views, $ReplicaID contains the  ReplicaID  of
	every database and template on the system.
	

	A check for this problem already exists  in  DominoScan,  NGSSoftware\'s
	Lotus Domino application security scanner, of  which,  more  information
	is available from http://www.nextgenss.com/dominoscan.html .  NISR  have
	also written a white paper on how to secure Lotus Domino\'s  web  server
	available from http://www.nextgenss.com/papers.html