trustfactory trust but verify falling domino’s r.k. mcpeake w. aukema
TRANSCRIPT
TRUST FACTORY
Trust
but
Verify
Falling Domino’s
R.K. McPeakeW. Aukema
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 2
BlackHat
Contents
• General Intro• Intro Lotus Notes• Known Issues• Our Research• Conclusions• Recommendations• Q&A
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 3
BlackHat
General Introduction
• Trust, but Verify
• DEFCON-8, July 31, Las Vegas
• Crucial Facts
• Our Future
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 4
BlackHat
Intro Lotus Notes
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 5
BlackHat
What is Lotus Notes?
• Secure Groupware Platform» Email, Application, Web & Database
connectivity services
• Application Development Platform» @Formula language, LotusScript,
Javascript, Java, C/C++ API
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 6
BlackHat
How big is Lotus Notes?
• Over 60 million corporate users» Major Releases: 4.5-, 4.6-, 5.0-
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 7
BlackHat
Who Uses Notes?
• Government» Legislature
» Military
» Intelligence Agencies
• Multinationals» Manufacturing» Pharmaceuticals» Petrochemical» Defense
Contractors
• Utilities» Power
Companies» Telcos
• Finance» Accounting
» Banks
» Insurance
• Others» Lawfirms
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 8
BlackHat
Why people use Notes
• Security Features • Public Key Infrastructure
» Authentication» Encryption
• Access control levels» Server, Database» Document, Field
• Reputation• Extremely few vulnerabilities
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 11
BlackHat
Known Issues
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 12
BlackHat
Known Issues
• Misconfigurations» 1 - Access Control Lists» 2 - Server ID-file passwords» 3 - Execution Control Lists
• Product Features» 1 - HTTP Server» 2 - Names & Address Book» 3 - Stored Forms
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 13
BlackHat
Common Misconfigurations 1
• Access Control Lists = ACL
• Purpose» To restrict access to Notes databases
• Issue» Default settings are insecure and allow
people to read (& sometimes modify) databases
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 14
BlackHat
ACL Issues
Blueprint Notes Infrastructure
Lists all Notes Databases
Setup / Config of Webserver
Monitoring Server/User/Agent Activity
• Browse Setup & User Accounts
• Browse ACL’s & File-locations
• Create Virtual Servers/Re-directs
• Browse User & Server Activity
• names.nsf
• catalog.nsf
• domcfg.nsf
• log.nsf
• and more...
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 15
BlackHat
Common Misconfigurations 2
• SERVER.ID File
• Purpose» Server Identity
• Issue» To allow auto-restart of Notes servers,
absence of password is recommended.
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 16
BlackHat
Server-ID Issues
• With stolen ID-file, one can:
• Open all databases on that server
• Access other servers
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 17
BlackHat
Common Misconfigurations 3
• Execution Control Lists = ECL• Purpose
» To restrict execution of untrusted code at Notes client
• Issue» R4 till R5.01: Default settings allows
execution of untrusted & unsigned code
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 18
BlackHat
ECL Issues
• Execution of Malicious Code
• Melissa• LoveBug
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 19
BlackHat
Product Features 1
• Using URL Syntax
• Http://www.example.com/ +
» ?open - Allows full database browsing
» database.nsf/$DefaultNav?OpenNavigator -
bypassing database navigator settings
• Using HTML Syntax
• Saving & modifying html-source allow upload of
unwanted content
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 20
BlackHat
Product Features 2
• Names and Address Book
• User ID’s stored with person document
• HTTP-Username + Password viewable by all internal users
• HTTP password = ID-file password
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 21
BlackHat
Product Features 3
• Stored Forms
• Explained in Detail ->
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 22
BlackHat
Stored Forms
• Notes Database Structure
• Data» Structured data» RichText (attachments, actions, etc.)
» HTML (Java / JavaScript)
• Forms» Rendering data» Programmable Events
• Stored Forms» Database Object with Form
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 23
BlackHat
Stored Forms
• Background
• Reported back in 1996» Oliver Buerger, Germany» Der Spiegel (11-03-1996, page 220-222)
» Lotus responds with the ECL in R4.5
• 4 Years later, in 2000» Very few have the ECL setup correctly» Almost everyone allows Stored Forms
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 24
BlackHat
Stored Forms
• Purpose» Workflow Applications» Client Administration
• Issues» Enabled by default in every database» In QueryOpen event, no user interaction» Transmitted over SMTP
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 25
BlackHat
Stored Forms
Demonstration
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 26
BlackHat
Our Research
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 27
BlackHat
Our Research
• Background
• Published at DEFCON-8, Las Vegas• Ethical Disclosure• Much Exposure, but• Missing Crucial Details
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 28
BlackHat
Our Research
• What we will discuss
• Design Elements• Bypassing the ECL• Unclear User Preferences• Password hash• Validating ID-files
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 29
BlackHat
Notes Design Elements
• Design Elements» Stored in obscure locations within db» Can be Modified with Editor access» Accessible as regular Notes Documents
• Example» Stored Form enabled via ‘f’ in $Flags item of
an Icon document in mail db» For the mail file in a R5.03 client, the note-id
for
Icon doc = 2A2DbScript = 1C6
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 30
BlackHat
Execution Control Lists
• Introduced with Release 4.5, to combat the problem with stored forms
• Controls what “foreign” code can be executed depending on Notes “Signatures”
» Trusted Signature: Which functions to allow
» Default: for Signatures not specified in ECL
» No Signature: for unsigned code
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 31
BlackHat
Execution Control Lists
• Common ECL Problems
» Very Few Administrators and Users understand ECL concepts
» ECL settings are stored in obscure location
» Until release 5.0.2- default settings allow “WORLD” access
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 32
BlackHat
Execution Control Lists
• We discovered two ways to reset the ECL of a Notes client
• @RefreshECL (“” : “” ; “”)
• Remove ECLSetup = 3 from notes.ini
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 33
BlackHat
Execution Control Lists
• We discovered that
• Notes API calls are not Intercepted by the ECL
• OLE/COM uses Notes API
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 34
BlackHat
Execution Control Lists
Demonstration
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 35
BlackHat
Unclear User Preferences
• F5 doesn’t do what you think…
• What about sharing that User ID …
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 36
BlackHat
Unclear User Preferences
Demonstration
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 37
BlackHat
Unclear User Preferences
• Observations• Once API program has acquired access, password
remains cached• User ID sharing is a flag in Notes Memory Process
• Vulnerability• Flag can be changed from external program• F5 limited to Notes client only
Note: API program can only access what Notes Client has accessed before.
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 38
BlackHat
HTTP Password Hash
• Based on modified RC4 implementation
• HTTP passwords not salted» 355E98E7C7B59BD810ED845AD0FD2FC4 = “password”» 06E0A50B579AD2CD5FFDC48564627EE7 = “secret”» CD2D90E8E00D8A2A63A81F531EA8A9A3 = “lotus”
• Brute force/dictionary-attacks are possible
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 39
BlackHat
HTTP Password Hash
Demonstration
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 40
BlackHat
Notes User ID file
• Delivers:
• Authentication» Access Control
• Non Repudiation & Integrity» Digital Signature
• Confidentiality» Encryption
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 41
BlackHat
Notes User ID file
• Contains:» Encrypted Private and Public Key» User Information» Expiration Date» Integrity Control
• Used by:» Notes Client» Domino Server» API based programs
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 42
BlackHat
Notes User ID file
• Notes Client Features:» Blocks brute-force attacks» Digest checked in server NAB» Auto logoff & F5-based lockout» User ID sharing (API-programs)
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 43
BlackHat
Notes User ID file
• Identity Theft
• Inside your Network• Outside your Organization
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 44
BlackHat
Notes User ID file
Demonstration
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 45
BlackHat
Conclusions
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 46
BlackHat
Conclusions
• Multiple Vulnerabilities exist
• At All Levels in the Notes / Domino Environment
• Causing Serious Threats» Vandalism» Theft» Fraud» Warfare
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 47
BlackHat
Conclusions
• Domino Server Security
• URL syntax» Viewing unintended content» Uploading content
• Server ID file» No password recommended
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 48
BlackHat
Conclusions
• Workstation Security
• Execution of Malicious Code» Stored Forms» Two ways to reset ECL» Bypass ECL with OLE/API calls
• Continuing a Locked Session» With API programs (NotesPeek)» Resetting Sharing Flag
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 49
BlackHat
Conclusions
• Database Security
• Design Elements» Accessible as Notes Documents» Editor Access to Modify/Corrupt
• Names & Address Book» ECL settings in obscure locations» http-hashes and other sensative data
viewable by all internal users» ID files downloadable
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 50
BlackHat
Conclusions
• ID File Security
• ID ’s can be obtained» Download from Names&Address Book» With malicious code / email» From workstation local/network drive
• ID ’s can be validated» With http-password hash» During active/cleared session
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 51
BlackHat
Recommendations
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 52
BlackHat
Recommendations
• Response of Lotus• Lacks Crucial Details• No Solutions Delivered• Requires more Pressure
• Take Action• Assess your Situation• Check for Yourself• Follow our Recommendations
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 53
BlackHat
Recommendations
• Restrict access from the Web
• Don’t store User IDs in NAB
• Choose Different Passwords for ID and HTTP account
• Store User ID file on removable media
• Use strong password hash (Lotus)
» Manually upgrade to the stronger hash (Lotus)
• Exit Notes completely when leaving your desk
• Never click on ANY email attachments
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 54
BlackHat
Recommendations
• Enforce ACLs on ALL databases
• Restrict anonymous browsing on all default databases
• Disable stored forms on mail databases
• Enforce strong ECLs on all unsigned and untrusted
documents
• Ensure strong host-level security on all Notes servers
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 55
BlackHat
For More Information
• Web• http://www.trust-factory.com• http://www.sdi-group.com• http://www.lotus.com
• Whitepaper• under construction• mailto: [email protected]
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 56
BlackHat
Q&A
TRUST FACTORY
Trust
but
Verify
October 2000
Slide 57
BlackHat
Contact Details
Trust Factory B.V.Bazarstraat 44-a2518 AK The HagueThe Netherlands
+31 70 362 [email protected]