Overview
Lotus Notes prior to version 5.02, had permissive ECLs that allow for the execution of malicious mail messages.
Description
A Notes ECL is a list consisting of a Notes Username and a set of permissions from the following list (for Notes 4.6.x):
For example, an ECL might "look like" the following: {Shawn Hernan : Access to file system, Ability to Send Mail} {Cory Cohen : Access to file system, Ability to export data} ECLs are used to control the level of access that Notes Forms, LotusScripts, and Notes Agents have to the local workstation. In the example above, programs (i.e. forms, scripts or agents) written by Shawn would have access to the file system, and the ability to send mail. Programs written by Cory would not be able to send mail, but they could access data. (Notes will prompt the user for instructions when a program violates the ECL). Authorship is determined by cryptographically strong signatures on the programmatic objects. It is possible to attach a program to a Notes Form; the program will be triggered when certain events occur. For example, you could attach a program to a Notes form that displays a welcome message immediately after the form is opened (the so-called "PostOpen" event). Further, it is possible to mail forms, including the attached program(s), from one user to another, or to a database. The abilities and permissions of the programs attached to the form depends on the ECL for the user opening the form. Finally, the default ECLs for Notes are very permissive. In fact, the defaults allow any program, regardless of authorship, all 11 permissions. This level of access can be leveraged to run arbitrary code with the privileges of the user. Combining all these attributes, and assuming the default configuration for ECLs, we believe it is possible for an intruder to mail a malicious program to a Notes user in such a way that the program will be executed when the user opens the mail. In such a scenario, the user would not have to click on any attachments, nor would they be presented with a dialog that would give them a chance to prevent the code from running. Although this behavior is well documented, it is likely that many installations have accepted the default, permissive, configuration. In the wake of the Melissa and ExploreZip viruses, it is easy to imagine a similarly destructive virus being launched against Notes users. Additionally, because Notes mail supports strong encryption, it may be difficult or impossible to apply a general purpose central filtering system to 'screen out' malicious Notes programs. |
Impact
Attackers can cause victims to execute arbitrary code simply by sending them a mail message. The message need only be opened by an appropriate victim. |
Solution
The following procedure has to be followed for each certifier [or identifier] used on each Notes desktop. This procedure must be repeated per user.id file per desktop.
Note that even if you do not use Notes for electronic mail, the same situation applies to any database that can receive mail. It may be possible to automate this procedure via LotusScript. |
Vendor Information
5962
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S
- http://listserv.okstate.edu/CGI/WA.EXE?A2=ind9708&L=domino-l&P=R5936
- http://www.securityfocus.com/bid/2358
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0891
- http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument
Acknowledgements
Our thanks to a contributor wishing to remain anonymous and Kevin O'Brien of Neon Systems Inc for their contributions to this document.
This document was written by Shawn V Hernan.
Other Information
| CVE IDs: | CVE-2000-0891 |
| Severity Metric: | 54.72 |
| Date Public: | 1997-08-15 |
| Date First Published: | 2000-09-26 |
| Date Last Updated: | 2001-06-26 03:46 UTC |
| Document Revision: | 7 |