[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Lotus Domino Web Administrator Template ReplicaID Access (#NISR29102001A)
From:       "NGSSoftware Insight Security Research" <nisr () nextgenss ! com>
Date:       2001-10-31 0:13:38
[Download RAW message or body]

NGSSoftware Insight Security Research Advisory

Name:    Lotus Domino Web Administrator Template ReplicaID Access
Systems Affected:  Lotus Domino 5.x on all operating systems
Severity:  High Risk
Vendor URL:   http://www.lotus.com/
Author:   David Litchfield (david@nextgenss.com)
Date:   29th October 2001
Advisory number: #NISR29102001A


Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web services
that allow users to interact with Lotus Notes databases.

NISR have discovered a feature of Domino's web server that allows an
anonymous user to access the Web Administrator template file (webadmin.ntf)
and use some of its functionality. Normally webadmin.ntf should not be
accessible and as such this poses a high security threat to systems running
Lotus Domino.

Details
*******
Lotus Notes Databases can have one of several file extensions such as .nsf,
.ns4 or .box and when the Domino web server receives a client request it
examines the request to decide if it is for a Notes database file. If it is
Domino for looks for the file in the \lotus\domino\data directory; if it is
not Domino looks in another directory: \lotus\domino\data\domino\html. Some
Notes databases are derived from template files that have a .ntf file
extension. These template files exist in the same directory as their .nsf
children; However, making a request for a template file causes Domino to
search in the latter directory, but as they exist in the former, the web
server fails to find the file and returns a File Not Found (404) reply.

Another way to make a request for a database resource is to use the
database's ReplicaID. A ReplicaID is a 16 digit hexadecimal number that is
use to track concurrent copies of the same database over different systems.
It is therefore possible for a user to access a Notes database template file
by making a request to the web server using the template's ReplicaID. Of all
the templates only the Web Administrator template file seems to be
dangerous. Anonymous users can read any text based file on the system that
Domino has the permission to access as well as enumerate all databases on
the system. If the Domino web service process is running as root or SYSTEM
then an attacker would not be limited to the files they could access. This
problem is further exacerbated by the fact that the webadmin.ntf ReplicaID
is the same on every system running Domino meaning that once an attacker has
the ReplicaID then they will be able to access the Web Administrator running
on any Domino system.


Fix Information
***************
The best course of action is to remove the Web Administrator template from
the system. You should also consider removing the real Web Administrator,
webadmin.nsf as if someone were to gain a vaild user ID and password for
Domino then they will be able to perform undesirable actions against the
system.

Lotus were informed about this issue and, in their next release of Domino,
version 5.0.9, will ensure that the permissions set on the webadmin.ntf file
are such that anonymous access is prevented.

For those worried about attempts to access the Web Administrator template
file and wish to monitor potential attacks, you can get the ReplicaID of
webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the Control, Shift
and H keys down whilst you open the catalog. This key sequence causes the
Notes client to show hidden views as well as visible. One of the hidden
views, $ReplicaID contains the ReplicaID of every database and template on
the system.

A check for this problem already exists in DominoScan, NGSSoftware's Lotus
Domino application security scanner, of which, more information is available
from http://www.nextgenss.com/dominoscan.html . NISR have also written a
white paper on how to secure Lotus Domino's web server available from
http://www.nextgenss.com/papers.html

-----------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]