- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Lotus Notes Password Exposure
------------------------------------------------------------------------
SUMMARY
A document that discusses the possibility of using an unpublished Lotus
Notes' debug variable in an attack to learn a Notes.id password. This
notes.ini parameter is used for troubleshooting password quality and can
be used to log the user's password. However, in order to utilize this
feature, the following must be true.
(1) Attacker must compromise the workstation in order to implement this
parameter or have administrative rights to push out a notes.ini change via
a policy
(2) User must restart the Notes client
(3) User must be persuaded to change their Notes.id password
(4) Attacker must gather the information from the debug outfile
DETAILS
A debug function in version 5 and up of Lotus Notes can be used to write a
file containing the new password in plain text when a user password is
changed. This function has been designed to bring more transparency into
password quality verification. If two additional lines are entered in the
Notes.INI configuration file, Notes will log the evaluation:
KFM_ShowEntropy=1
Debug_Outfile=c:\testvowe.txt
During the next password change, Notes will create a file with the
following content:
testvowe_TLANB_2007_07_18@17_07_33.txt
18.07.2007 17:07:36 Lotus Notes client started
18.07.2007 17:07:47 Index update process started
Entering SpellCheckInit
entropy.c SpellCheckAccess Get 13A834 0
Initializing spell checking code
SPELLInitialize succeeded; spell checking DLL loaded
SPELLInitMainDict succeeded
SPELLInitUserDict succeeded
Password Entropy: spell checking code initialized
SpellCheckInit succeeded
Bytes per char: 1
Distribution base multiplier: 6
Resulting entropy limit: 60
[c]alp[c]: 0
[c]alp[t]: 0
[-]alp-s[-]: 18
[t]nalp-s[t]: 18
[t]alp[e]: 18
[t]alp[s]: 18
[t]alp[t]: 18
Testing word: [test]
Searching for [test]
Found [test], worth 12 bits
[2]alp-s[2]: 36
[2]nalp[3]: 42
[2]nalp[4]: 48
Entropy as determined by the state machine: 48
Entropy Limit: 60
Current Entropy: 48
Final Entropy: 48
Final Entropy: 48 bits, 12 chars
entropy.c SpellCheckAccess Put 422EB60 F01069BD
The password is found in the lines after "Resulting entropy limit: 60" and
is made up of single characters in square brackets: ct-test234.
IBM published the debug parameter as support document, but has removed it
recently. At present, the document can still be read in the
<http://64.233.183.104/search?q=cache:0AKDTeu1macJ:www-1.ibm.com/support/docview.wss%3Fuid%3Dswg21196682+kfm_showentropy&hl=en&ct=clnk&cd=3&gl=uk> Google cache.
Since the Notes.INI file on a user s hard disk must be manipulated,
physical access to the system is required to exploit this flaw. But there
are various possibilities within Notes to manipulate this file, which can,
in turn, also be used to protect systems from this vulnerability:
1. From Notes 7 upwards, settings in NOTES.INI can be made based on
workstation policies, which makes it possible to enforce the setting
"KFM_ShowEntropy=0".
2. An undocumented possibility of making the same setting exists in Notes
6. To do so, a field with the name $PrefKFM_ShowEntropy with the value 0
must be added to the policy document.
3. Alternatively, the setting may be made with the following short
Lotuscript:
Dim s As New NotesSession
Call s.SetEnvironmentVar("KFM_ShowEntropy","0", true)
If this script is loaded automatically when the mail database of all users
is opened, this setting is made each time. See also the
<http://www-1.ibm.com/support/docview.wss?rs=203&uid=swg21210786> support
document provided by IBM.
Assessment:
Notes uses the password to protect the certificate storage Notes.ID used
by every user for authentication. This file is encrypted or decrypted with
the user password. Together with the Notes certificates, Notes.ID also
stores the user's private key and X.509 certificates, where required. For
this reason, it is of utmost importance to ensure that nobody can create a
copy of the password and Notes.ID at the same time. If somebody gains
concurrent access to both the log file and the Notes.ID, this person can
authenticate himself to Notes at any time.
Even though administrators can eliminate exploitation of this debug
function in most cases, a Notes administrator with appropriate privileges
is able to discover all user passwords.
Unlike under Windows, the Notes administrator is not able to reset
forgotten passwords, since passwords are only required for decrypting the
Notes.ID. Some Notes customers have implemented complex solutions to allow
for the central storage of password changes, while resetting passwords is
only possible based on the four-eye principle, i.e. administration and
revision must work together to do so. The debug function makes it possible
to bypass this security measure.
Update:
In a <http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21266085>
Response to 'Password exposure in Lotus Notes' by heise Security IBM
essentially confirms the vulnerability. They rate the severity as rather
low, (Overall CVSS Score: 0.9) but do not discuss the numerous
possibilties for remote administration of Notes clients. This can only be
reliably prevented by using all available access restrictions (ECL =
Execution Control Lists). This is often not the case. According to IBM
"Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a
fix that will remove the use of this undocumented debug variable."
ADDITIONAL INFORMATION
The information has been provided by <mailto:ju@heisec.de> Juergen
Schmidt.
The original article can be found at:
<http://www.heise-security.co.uk/news/92958>
http://www.heise-security.co.uk/news/92958
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment