Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] IBM Lotus Notes Insecure Default Folder Permissions

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] IBM Lotus Notes Insecure Default Folder Permissions
Date: 19 Oct 2006 18:05:18 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IBM Lotus Notes Insecure Default Folder Permissions
------------------------------------------------------------------------


SUMMARY

" <http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage> IBM 
Lotus Notes continues to set the standard for innovation in the messaging 
and collaboration market Lotus defined over a decade ago. As an integrated 
collaborative environment, the Lotus Notes client and the IBM Lotus Domino 
server combine enterprise-class messaging and calendaring & scheduling 
capabilities with a robust platform for collaborative applications". 
Secunia Research has discovered a security issue in Lotus Notes, which can 
be exploited by malicious, local users to manipulate arbitrary files.

DETAILS

Vulnerable Systems:
 * IBM Lotus Notes version 6.5.4
 * IBM Lotus Notes version 6.5.5
 * IBM Lotus Notes version 7.0.0
 * IBM Lotus Notes version 7.0.1

Immune Systems:
 * IBM Lotus Notes version 7.0.2

The problem is that Lotus Notes sets insecure default permissions (grants 
"Everyone" group "Full Control") on the "notes" directory and all child 
objects. This can be exploited to remove, manipulate, and replace any of 
the application's files.

Solution:
IBM provides the  
<http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773> 
following solution:
Prior to Notes 6.5.4, when installing the Notes client on Windows, the 
permissions for the Notes program and data directories were set based on 
permissions inherited from the Program Files setting. With Microsoft 
Windows NT , Windows 2000, or a system that was upgraded from Windows 
NT/2000 to Windows XP, regular users had write access to Program Files. 
This is important because Notes needs the user to have write access to 
portions of the data directory and to the notes.ini file in the program 
directory.

Beginning with new installations of Windows XP, or with Windows XP Service 
Pack 2 (SP2), however, regular users no longer have write access to 
Program Files. This caused problems at customer sites where the 
administrator performed the client installation with administrator rights, 
but when running Notes as a regular user, the end user no longer had write 
access to the files required by Notes (notes.ini and selected data files) 
on these systems.

As an interim solution based on customer feedback, we changed the install 
in Notes 6.5.4 and began setting the permissions for All Users to have 
read/execute/write permissions on the Notes program and data directories. 
This was done by adding entries to the LockPermissions table in the 
installer. In the meantime, work had also begun on the Smart Upgrade Run 
As Admin feature which shipped with Notes 7.0.2 and which can be also used 
to upgrade Notes 6.x clients.

Administrators with access to change directory settings can assign 
specific users or groups the ability to write to the Notes program and 
data directories instead of inheriting from Windows Program Files settings 
or instead of allowing write access to All Users/Everyone.

In 7.0.2, the Notes client install reverts back to the pre-6.5.4 and 7.0 
behavior. This change will also apply to Notes 6.5.6. In other words, the 
permissions set on the Notes program and data files are set based on the 
Program Files settings.

Another option for customers is to install Notes as multi-user, even if 
only one user will be using that computer. In this case, the Notes program 
files are stored under Program Files with permissions set as described 
above. Notes shared data files (templates, help) are stored under 
c:\Documents and Settings for All Users (with permissions set to 
read/execute for all users). Notes user-specific data files (notes.ini, 
databases) are stored under c:\Documents and Settings for the specified 
user(s) (read/execute/write for specified user).

Time Table:
22/07/2005 - Vendor notified
22/07/2005 - Vendor response
18/10/2006 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:remove-vuln@secunia.com> 
Secunia Research.
The original article can be found at:  
<http://secunia.com/secunia_research/2005-29/> 
http://secunia.com/secunia_research/2005-29/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] IBM Lotus Notes Insecure Default Folder Permissions, SecuriTeam <=
Previous by Date:  [TOOL] Aimject - Man-in-the-Middle Injection Against AOL, SecuriTeam
Next by Date:  [UNIX] Asterisk Skinny Unauthenticated Heap Overflow, SecuriTeam
Previous by Thread:  [TOOL] Aimject - Man-in-the-Middle Injection Against AOL, SecuriTeam
Next by Thread:  [UNIX] Asterisk Skinny Unauthenticated Heap Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]