 notessecurity.com. How many of you have actually been to this presentation before? Last year? I remember you. Okay, we're going to be talking. If you've seen this, saw this last year, and you haven't taken any of the changes we've talked about, stick around. If you went back and you took all those suggestions, recommendations that we talked about last year and implemented those, you're probably alright. What we're going to do, this is very similar to what we talked about last year. There's a couple of new things. There is one big difference with this, is that we're announcing one week from this weekend we're going with full disclosure. So last year we went with limited disclosure in order to make sure none of you guys got hurt. If you didn't pay attention, you didn't go out there. You got one week to get your act in gear. Lotus has done nothing in regards to this, except try to downplay this. So this is why we are doing this now. They've had over a year to get their act in gear and they haven't done it. My colleague Chris Goggins unfortunately is not here today, so it's just basically going to be me. Bill's up here. This isn't Chris. So I'll be doing the whole thing through here. So we'll try to give you a break. When we get halfway through here, I'm going to ask you if you guys want a 5 or 10 minute break. I know it's really hot up here, but hopefully we won't take this long of what we've actually got up here. We kind of ran over in Black Hat. Hopefully we can get through everything this time. When we did this presentation at Black Hat, we were kind of short on time. We had a whole bunch of questions. Feel free to ask any question you want, but let's try to make it kind of quick. Actually, if you have a question, because we've got fans and everything else, what I'd like to do, something different, is come down one of the aisles. Just get up and come on down so that I give you the mic. You ask the question and we'll go from there. Does that sound cool? So, general introduction. Trust but verify. We said this a year ago. You need to go through here and verify everything that you've implemented in Notes and Domino. A lot of the stuff you're going to be seeing today, you've probably already heard about. You've already seen what the likes of Exchange, Outlook, a lot of the things we're going to be talking about, very similar. It is the same type of functionality you can actually do in Lotus Notes. Unless you're running on this guy's network over here. Go ahead. After our initial presentation last year, if you saw that, Lotus had actually agreed. Do we actually have any Lotus people? One? All right. I'm going to be picking on you all day today. I don't know where you work, but I'm not actually trying to pick on you personally. I hope you won't take it that way. But a lot of the stuff we talked about last year was supposed to stay up on their security zone part of the website, which is actually lotus.com slash security zone. And it came down, I think, about two months after our talk, which was really disappointing and I think it was an injustice to the community, both the security community and the Notes community. When we go full disclosure, there's actually, let me tell you something, after we did, we went with limited disclosure last year. So we basically gave you a whole bunch of recommendations to secure your environment. We didn't really publish the exploits. We didn't want to arm a bunch of script kitties. I had about five people email me who were able to understand what we were talking about and they were able to duplicate a lot of the exploits that we had presented. And a lot of them have been very kind of antsy to go public with this, some of the stuff they're working on. There is a guy, his name is Coaxil Karma. He has a website called landofsilence.com. He's actually will probably be publishing a brute force attack. There's another company, or an individual within a company, I don't actually have permission yet to mention who he is, but he's also working on a brute force, password brute force attack. I believe landofsilence, while probably be publishing that within the next few months, their brute force attack. So you need to really make sure that, yeah, it's okay, we're going to go like this. Yeah, that's all right. So we're going to do this presentation one more time if you didn't catch it last year, here we go. All right, so how big is notes? It's really big. Last year when we talked about this, I think it was 50 million. It's now 70. It's above 70. 70 million corporate users. There's a new version, our next. There's a couple of new beta version releases which are out. You can download them. Supposedly the problems with the password authentication we talked about last year, we're supposed to make it into this. I've yet to actually see it. But in regards to what Lotus Notes is, if you're not familiar with it, many people are not familiar with Notes a whole lot. Okay, the Lotus Notes is a totally integrated group or platform. If you're familiar with Exchange, Notes is probably a bit more integrated than Exchange or a lot of the competing products out there. You can do all sorts of the stuff that you see up here. You've got the formal language, you have the Lotus Script. Lotus Script is very similar to Visual Basic. You've got JavaScript, Java, C++. You've got the APIs in there. Yeah, you can't actually compile C programs in there, but you have C and C++ APIs in there. How big is it? Who's using it? Everybody. Big six accounting firms. Half the big six accounting firms are using it. Most of the financial sector is using it. If you're a bank, you probably know what I'm talking about. Multinationals, pharmaceutical companies, it's all up here. Why are they using it? Because Lotus Notes actually has a really good reputation historically for being a secure platform. It's actually based on a public key infrastructure for both terms of authentication and encryption. You can encrypt at the document level, at a field level, at the network protocol level. It's pretty powerful. It actually was a good goal to shoot for, but there's still a few problems with it. In terms of access control, you can actually set access control at the field level, the document level, and the database. And historically, until last year, there were extremely few vulnerabilities. There's been some new ones, and I'm not actually going to talk so much about that. I've mentioned a couple of the guys who've worked on it. There's been some guys who've actually, if you've gone on bug tracking, they've actually been working on analyzing the network protocol that it's using. They made some interesting discoveries there. Release 5, we saw the Lotus drop the support for the Unix platforms, which I feel was unfortunate. But it runs on just about everything, and that's one of the strong features of Lotus. With Microsoft, you've got basically one choice. With Lotus, you have lots of choices, and there's a lot of companies, and there's a lot of organizations that make use of that. Same thing with the servers. So, do you want to see... I may get in a little trouble here with somebody, but do you want to see Bruce Schneider's talk at Black Hat? How many of you agreed with him? How many disagreed? Okay, I saw only a couple of hands. I don't agree, but I didn't get the opportunity to go up and tell him yet. I've got some friends that actually work within his company, and hopefully I'll be able to make my objections known to him. One of the reasons I disagree on this is that to me, security is much more like a vaccination. We don't try to control AIDS after you've got it. It's too late then. I don't try to control other diseases. I don't think you should be trying to control security. I don't think you should be throwing money in the street and relying on detection and response. I believe prevention is crucial. I'm sorry? That's what a lot of us got. Prevention is... He stressed it was more important, if I'm not mistaken. Prevention was lesser of an importance than detection and response. Yes, but he used the excuse or he used the judgment of good detection and response can make up for bad prevention or no prevention. I don't agree with that. The detection and response is a lot easier and faster. I understand that, and it sounds good, but it's kind of like viruses. Detection and response is possible, when you know what you've got to detect against. And you'll see in some of this demonstration, like in terms with lawless notes, how can you detect things that you haven't yet witnessed? When we presented this last year, there was a lot of things. One of the new things we started investigating is that notes actually support direct translation to the XML from the web server. So you can actually start pruning through a web server running on domino and requesting XML documents. And most companies, which use the logging facilities of dominoes, filter out only what they want to see. HTML documents like that, such and such, and other things which look like attacks. XML would get discarded in their logs. So if you're discarding things like XML requests, or you don't even know about XML requests, how many people actually know that you can pull XML straight from the web server? The rest of you are victims for this. So how could you justify good detection and response on something you don't know about? I mean, prevention is really key here. You have to rely on all three. But you really first have... It's like peace accords. You have to have peace accords with other nations to keep a war from starting. If you just sit around with a whole bunch of weapons, it could be too late. So all three are really important. I don't think that you can just base, go off and leave prevention out of the picture because you have good detection and response. Well, this was my example. I've already said it. But using the farming and vaccination, because this is what the U.K. did with the foot and mouth, detection and response, and how many animals were killed. Does that mean it's right? Okay. I mean, how many animals were cold? I live in the Netherlands. I watched all this. Fortunately, the government of the Netherlands looked at this and said, this is bollocks. And they immediately went to prevention. They immediately started vaccinating everything. And the whole lot of animals were saved. So prevention is, you can't just totally throw it out the window and rely completely on detection and response. So that's the point I'm trying to stress. Because we have the same thing in security. How many servers do you actually want to lose? Because if you don't know what you're looking for with detection and response and you're not using strong prevention, you'll lose a whole bunch of systems, servers, data, before you can actually integrate that into your detection and response. So strategically, and this is one of the things I said in blackout, we really have to stress this, because already we're starting to see some of the repercussions. People don't trust e-commerce. People aren't using e-commerce. Some of it may have to do with the fact that there's a lot of dot-coms out there that should have never been out there to begin with. But overwhelmingly, there was actually a poll just done. And this was actually while blackout was going on, and it was tech TV, and I may get the percentage slightly wrong, but I'll get somewhere from the neighborhood that what they were saying, they'd actually just done a poll of users on the Internet. And currently right now it's something around 80%, 85% of all these users that they surveyed were looking to see government regulation of the Internet for security and privacy. Now, of all these 85%, which were wanting to see government regulation for terms of security, privacy, something like 75% of those surveyed had incomes of 30,000 or less. So I'm not trying to pick on you if you make 30,000 or less. That's not the point. But typically, generally, I'm generalizing, and whenever I'm generalizing, I'm lying. Generally, if you're making 30,000 or less, you're probably not a hardcore IT employee. You're probably not familiar with everything that the rest of us are. And in the security marketplace, we have three different, got a couple of things to consider here. We have the supply side, we have the demand side, and we have threats. On the supply side, I would say of all the security consultants out there, and again, I'm not trying to pick on anyone here, we have 80% which really stay on the surface. A lot of these are some rather big names, unfortunately. But they're general security consultants, and they understand the principles. They're not hardcore technical security consultants. Probably 20%, if that are really hardcore. On the demand side, we have 80%, which historically, up till now, I've been considering security as a non-issue. And if you don't agree with me, then you're probably not a security consultant. I've been out there, I've been bashing people, I've been bashing companies trying to get into the door, talking to them about security. After we did this presentation last year, the company I had founded two years ago, we did this presentation last year, and we probably had five clients, five to ten clients, for Lotus Notes, Security and Domino. We probably, in the first month, we probably caught over 200. So that percentage of the clients, maybe somebody else got them, okay. But I don't think that there's a whole lot of experienced Domino security consultants out there. And right now, with the failure of the dot-coms, we're seeing a whole bunch of motivations which are increasing. We've got international conflicts. I was talking with some of the guys from ISS, Taiwan. They were saying that they see 40% of their attacks are coming from Asia. Another 40% is coming from Europe. About 10% are only coming where they're located at. Only about 10% is coming from the United States. So they're seeing a whole lot of activity over in Asia and Europe, which some of you may be able to relate to. There's a lot of corporate espionage going on. Tons of ex-employees with nothing else to do. They're disgusted. They're bitter. We all know that the stats at 80% of most security breaches are come from disgruntled employees or from the inside. And everyone's got increased bandwidth. I've got a one-megabit pipe into my house where a year ago I didn't. I'm sure a lot of you probably even have more. So how many of you have actually are running 508? Lotus Notes and Domino. Okay. 507. Six. Who's not running 503 or greater? Okay. Are you running a web server? Are y'all? Do you know about the directory traversal attack? Okay. And I assume that everyone here has a security PSPG implemented. We've really got to take this stuff seriously. If we want to see this economy to turn around, you know, this isn't technical, I know, but this is something I really believe in. If we want to see this economy turn around, we've got to start taking some of this stuff seriously. If we want to see the whole everything on the Internet, all the growth, spur more growth on the Internet, e-commerce, we're going to have to take this much more seriously. If you don't identify your problem, somebody else is going to. And a lot of times I've gone out to these clients and they're talking about, you know, you're a security consultant, you're supposed to solve my problems, but you only bring problems to me. I didn't create the problems. I'm helping you identify them. One of the things, and if you're a consultant, I'm throwing this out just, you know, this is why we're using the vaccination as an example. I've found that I've had a little bit better success trying to explain this to people, for the people who look at me as the creator of security problems in the notes world. I didn't create it, like I said, I didn't create any of this, just identifying it, just like the doctor identifies the virus. Go ahead. So we're going to talk about the client side for this first half, before the break. And there's the four things which you probably remember if you saw this before. If you haven't, we have these four things, the stored forms, the execution control list. The execution control list, if you're not familiar with it, it's to prevent potentially hostile code from running within inside your notes environment, or being at least launched from there. We have the password hash problem. We've still not seen any resolution to this, really. There is a small something that you can do, and if you haven't actually done it, which we'll get to it, you need to get done this week. And then the last half, we're going to be talking about the process control list of databases. One of the things that we have been doing in the Black Hat, the Win 2K, and February Black Hat Asia, we actually did some demonstrations. They don't have the network up here, and I have some ethical problems about doing it. We did a couple of demonstrations while we were in Asia, but one of the things is what we called creative surfing. And this is very, very easy under Domino. You can start extracting information from notes databases, running on Domino servers. If they're running a web server. Most people, which have either developed internally, internal applications on Domino, or third-party applications, have not undergone a serious security review of the design. And this is causing serious problems with those databases. Did anyone see the California Democratic Party news story? They were running a Domino server. They actually were accepting campaign contributions. Bob Sullivan on MSNBC had covered this. The California Democratic Party was running a Domino server. They did not conduct a thorough investigation into the design of those applications on their Domino server, but they were accepting credit card contributions, campaign contributions on their website, and people could go in there and just retrieve all the credit card information, which I'm sure was really interesting to the Republican Party. So, we have the stored forms. How many people do not understand this? Because if nobody raises their hand, I won't skip this. So how many people do not understand the notes database structure? Okay. All right. Well, with the notes in the database, you have three different parts here. You have the data, you have the forms, and you have the stored forms. In regards to the data, it's structured data. In release five, we had the addition of HTML before that was just rich text. In release five, you now have the native. It can be stored as native HTML. You can include Java and JavaScript in that HTML. On the forms, since the data is arbitrary, it's just structured data, but it's not very convenient for people who are interfacing within notes to be able to look at a document, pull out the data that they need, or for entering data. So you have forms, and this is similar or akin to a HTML form that you fill out. It's actually how it structures that data to how it presents it to you for you to use. Wait, back up. And you actually have something else called stored forms, where you can actually put the stored form within a notes document for a transmission to another database somewhere else. So that if that database does not actually have that form that you need to view the data, since the form is integrated into the document, when you open that particular document, you'll be able to pull it up and see it the way it was intended to be viewed. One of the reasons I have this, the stored forms is a lot of document management applications. Make use of this. I'd say probably at least 70% of the third-party applications you can pick up on the market from business, Lotus business partners are using stored forms. And this causes a big problem when it comes to the security, because the stored forms can actually contain executable code. So when you pop open that document, the code that's in the stored form will actually execute. And stored forms, this is an important point. Stored forms, by default, are enabled on almost every database, especially your mail files. By default, it is enabled. And if you're running a mail server, and the mail server is actually has internet access for internet mail, we'll do a demonstration here and you can see where you can have a lot of fun with that. So we're going to do this demonstration here real quick. So to explain what I've got here is, unfortunately, since Chris isn't here, and I'm only running on one laptop here, I actually had not configured this with advanced services in time. I had expected Goggins to be here and thought we could actually set up an SMTP environment that was going back and forth so you could really see this. Those stored forms can actually be transmitted over the internet. And this is where I'm talking about. You'll have to bear with me and trust me when I say that this is actually possible. We actually have a server running here and I've got a client which I'm going to use, switch back and forth to simulate several different users. The user I'm actually going to be using here is, you can't really see this, but it's actually called Dutch Locked Offer. And since I'm in Netherlands a lot, we've been using Dutch names for some of this stuff. So to give you a quick example here or let you know what the configuration of this user actually is, this is his execution control list here. And you have a couple of settings here which are important. If you're not familiar with this, you have a default setting and a no signature. And the no signature is for any embedded objects which have no no signature attached to them. Typically these are things coming from the internet. Since things like Outlook until previous versions of Outlook and everything have not been using the same type of, the words have forgotten me, same type of signature that notes is using. Typically this will come across an SMTP server. It has no signature actually associated with no note signature associated with it. Default is anything that's within your own organization and has not been explicitly defined. It's the lowest level within your own organization. So I just wanted you to see that all this stuff is turned off here and you have a couple of different settings here. These are, as of 503, these are pretty much the default settings here. Before these things were coming with everything enabled, and I believe it was in 503 that they finally, Lotus finally did change this, but there's still problems associated with this. Let me switch to the attacker. What we're going to do is we're going to send across a stored form. So I've actually got already a menu option here which creates the stored form with the code in it. So I'm going to use this to create, which I'm really glad I did because using the quality of these projectors is just nasty. I wish we had something better so you could actually see this. I'm actually just filling out the address for a Dutch slug offer and I'm not going to pay anything else in this email. I just say you can identify it. Those are all sevens. So we'll shoot this off and if you look at the bottom of the console screen down here towards the bottom, you'll actually see this go across and get deposited into the victim's email account. So we'll switch back here now. So is anyone familiar with Bubble Boy? Okay. This is basically Bubble Boy recreated. What I'm going to do, there's no actual attachment in this. This email, although the user can't see it, it actually has a stored form within the email and this is similar to what Bubble Boy actually did. So the second I hit enter, what happened? Where'd it go? Now, maybe you would look at it as a security expert, somebody who attends this conference and we'll have gone, hmm, better call the security guy. I'd be willing to bet $100 that your secretary wouldn't and that's all I need. I don't need you to open it. I don't need to email it to the administrator. I just need the secretary to do it because there's already, if you watch the bottom here on the console, a message has been delivered back to the attacker which has the name Inbreaker. So unless this user was actually watching the console, probably just would have thought it was a buggy email. True. Yeah, what he said was that there is a bottom little display bar here and actually I didn't have time but you can get rid of this too. This is possible to get rid of. No, but this is true. This actually shows, this is kind of like a command shell history almost in notes. Everything that actually happened. I'm sorry? Yeah, secretary still wouldn't know. I've actually gone across when I used to be a administrator. You can do a broadcast on the console. Messages will pop up there. I used to tell people, log off. Please log off. Please log off. God back it up. Finally you'd have to walk around the office and hit them on the head. So switch back to the user here or the attacker. So I've got an email here from Dutch sluggedoffer and it says I have created world access. I can't even read that. Basically what it's done, the stored form had executable control, executable code which was executed just like in the bubble boy virus and what it did, it caused that user without him knowing it, him or her knowing it, to change the access control list on the mail file. And I'm sorry I forgot to show you that. Actually I'd gone off and said that. Does anyone need me to actually verify that the access control list for anonymous was completely shut off? I see a nodding head back there. Okay, let me do it again. I apologize for that. Okay, so we're setting default to no access and we are setting anonymous to no access. So we'll go back to the attacker and we'll send it again. Okay, now I'm switching back to the victim. So just to show you, doubly sure default still set to no access and anonymous is set to no access. We open it. It disappears. So default is now, if you see that, if you can make it out with the bad projectors, default is now set to manager and anonymous is set to a manager and I just heard my old heckler friend from last year say show them the log. So you can see there that at no time did anybody else, other than Dutch slot offer, change the access control list. So since that code, come up front because I can't hear you way back there and I don't think anyone else will be able to. But basically that code was executed by the victim. Come on, don't be stage shy. You're a good looking dude. The question is just cracking. The question is just what rights does the user have to have to their own mailbox or to that particular mailbox if they're opening a floor to give the manager access? Because sometimes you might have a situation where the secretary has got read access to their boss's email and you might prefer to send them an email which excuses code rather than the boss. Yeah, that's a really good question. To change, it's just like if they were to change their own ACL. They have to have manager access to it. But it's very easy to create this. I'm sure it takes no leap of imagination to figure out that you could actually check what rights do you have as the attacker causing the victim to perform this for you. What rights do I actually have to my own mail file? So we have actually done some code on this where you can actually have it do look ups in the database so if they don't have access rights to their own mail file to change it, it would automatically forward itself to the next person. It's possible to simply send it to the admin who will most likely have access, manager access to everybody's mail file and either update the ACL on the name and address book or on the user's mail file. And if you write the script correctly rather than deleting the form which is really obvious and will tip off an administrator, you can simply delete out the stored object so all they see is a normal form that says hey let's have lunch and they can't tell that it's a stored form. One of the other... Somebody else actually had a good point as far as like sending this directly to the email. I believe it was you that actually... I may not be right, okay. Somebody at Black Hat just the other day had asked the question, in notes can you actually forge the header so it looks like it's coming from someone internal and if you're using notes, if you're an experienced notes user, you've probably seen spam people do this so it looks like it's coming from somebody else. You can forge your SMTP headers and looking at the view you won't really know the difference unless you're using a heavily modified mail file. So you could send and by doing that you could actually send the email to the administrator have it appear as a normal user and the administrator will trust his users to some extent and open the email. So I'm going to switch back to the attacker here because this is also interesting. I know that there's not a whole lot of people that actually run mail servers and web servers on the same box but quite often web servers will often have mail-in databases and I know of quite a few companies that actually do run they actually have a commercial web server running Domino and they have a separate mail server which is running the HTTP process so that people can actually access their email using the web-based mail. So if we actually pop this open as the attacker we actually get a URL back which points directly to the victim's mail file and we can just click on that pop it open and go straight into the user's mail file without any authentication or access prompts and there we go. We can now read his email and do anything with it we want over a web browser. Did we not touch the stored forms already? I guess no we didn't. A lot of the stuff with stored forms was reported by Oliver Burger. I think of my slides are a little messed up here. Yeah, one of my slides got out of order. This was reported by Oliver Burger back in 1996 in their Spiegel magazine and I forgot to actually change that but there's still very few people who are actually using Access Control List and everybody is still using stored forms. They're allowing the use of stored forms. What I would rather recommend and I know administrators are not going to like this but if you're accepting internet emails coming into your server and you need the use of stored forms create two different mail files for the user and have one which is sitting there for internet email that uses no stored forms. I know this is a little bit of a pain in the butt but this is really about the only way around that I know of. Turn off the stored forms let internet emails come in there. Have an agent so whenever new emails are deposited that gets sent to their internal email. They're automatically forwarded from that point or at least they have some sort of dock link that goes to their internal email that they know they've got an internet email coming in on the other email box. That is a clutch but it'll work and keep you secure from stored form attacks over the internet. Oh, go back. Go ahead, I'm sorry. We have the Execution Control List which is supposed to prevent a lot of this type of stuff. One of the things that we started looking at was that another type of an attack was that the notes, API calls, the CAPI calls into notes are not intercepted by the Execution Control List. So you can use Visual Basic. You can actually put an active X control into an HTML file and send it to somebody and ask them to launch it and that active X control will make a call into the notes API and bypass the Execution Control List. So I'll give you a quick demo on this. Okay, I'm getting ahead of myself. I apologize here. Before I do that, let me just say a couple more things about this. On the Execution Control List, you really need to make sure this has got down and tight and that you actually have a corporate enforced, essentially enforced ECL. Does anyone not have that? Or does anyone have that? Let's ask that one. Yeah. It's a real pain in the butt. I know. A lot of people are just not familiar with the Execution Control List. The ECL settings are really stored in obscure location. There's not a lot of documentation on it. It's not real clear until 502. If you're running 502 or earlier than 502, you have world access to it. There's also a couple of ways you can actually use either of these two options to reset an Execution Control List. There's a command in the Lotus command language that the refresh ECL and just leave the options blank that will actually force the ECL to be reset. There's other ways that you can actually add something into the notes.ini file. And it's remove ECL set up equals three from the notes.ini file. So you don't actually add it. You remove that setting. Yeah. I'll give you a website at the end and all this stuff will be available there because it'll be available within one week. As I mentioned before, the notes API calls are not intercepted by the ECL and since OLE and COM uses notes API, that makes it very fun. Sorry. And our next? I actually have not investigated that yet. So I've only started dabbling with our next. I'm sorry. Yes. And will those be... I'm fixing to give you a demonstration on it here real quick. So the question he's asking, I'm fixing to answer for him. So here is the attacker and what I'm going to do, let me show you what I'm actually going to send him. I'm having a real problem seeing this screen, so I came and see the icons. Bear with me. I can't see the icons off to the right of my desktop. Oops. Okay. I had to move these two over so I could see them. So I've actually got... I'm just going to pop open Notepad here and I'm going to give you an example of an HTML file. And in here we actually have an ActiveX... we have an ActiveX control, which is using VBScript. Just so you can see it, that's all that's in there. So what we're going to do is the attacker, we're going to attach this to an email. So this HTML file, which is actually called prettywomen.htm. Yeah. And we know everybody wants their porn, or at least all the men. Okay. Maybe there's a couple of guys here who don't want their porn on women. You know what I'm talking about. It's not getting the semantics here. So we're going to switch back to the victim here. And as the victim, now I have a new email. There's my HTML attachment. This could really be anything that you could... that you would put the... an ActiveX control in. And we just launch it. Now, since we're launching this from the environment, you would think that the execution control... we're launching this from the notes environment, you have an execution control before I do this, which does not permit really anything. So again, as I showed you before, everything is turned off here. And now that there's also Java and Java, but we're not using Java or JavaScript, typically I have a shirt mic trying to do this with... one hand is really difficult. So we go ahead and we click to launch it. So now, something I want to point out here, we do get actually an alert. I'm not trying to hack Internet Explorer. My purpose is to show you about the note security. There's plenty of other good material out here, and I've never tried to incorporate any of that, just simply as to not confuse people with what I'm trying to actually do. This is purely about Lotus Notes and Domino. So we do actually a little prompt here. It tells us we're about to get an ActiveX warning. And when we get that, please click OK. So we'll click OK on this, and here's our ActiveX warning. Warning of a potential hostile code. I believe it was Loft that actually did the latest thing on Office 2000. Is that correct? Nobody knows? I'm sorry? George Kodinsky? Could be. I don't actually get into the Office 2000 Internet Explorer hacks as much. But I know that there's some good material out there on the net that you can find on this. So we'll go ahead and click Yes. Now, what we've seen is we get a listing in HTML. We have this ActiveX control, which has gone off, and this is now not going to the Domino server. Don't be confused by that. We're actually doing an HTML page directly through the notes client. And if you look back here in the view, that matches this. We've got a listing of everything in his inbox. So this is executed. We did get the ActiveX warning from Internet Explorer. As I said, that's not the purpose of this. We did not get any type of execution control warning from Loft's notes. That's the point I'm trying to stress here. Notes should have actually warned us on this and said we're not going to allow this to execute or at least given us the option to abort. I'm sorry. Can you come up here? I can't hear you. I don't think anyone else can. You had that execute with a standalone browser and study internally with the notes client. Would it make a difference with notes look at its internal web browser differently? We could try it. Yeah. 35 minutes for the whole session. Oh, okay. If you want to see that, because he just informed me, we already have 35 minutes left. Let's come up after and we'll try it. I'll just show you here real quick. Nothing got modified in the ECL. Everything is still set to no access. If you have a question, please come up here. If you had detached that HTML file and launched it separately, would it have done the same thing? The point is we actually launched it from within the notes environment. So you would think that the execution control list would actually block any calls into within the notes environment. Notes cannot protect anything coming at it externally. There's not really too many applications that I know of that could actually do something like that. And that's actually even Lotus's statement as far as that goes. So I've gone back to the attacker here and you'll actually see we've got an email back from the victim. And we did this all with using Notes API calls from the Visual Basic Script. And we actually have the name of the mail server. You can't really see this, but on the second line, or the first one after the big space, it says mail server and the name of the server, or the file listing on the mail server where his mail file is, we actually now have his HTTP hash. And I'll get to that in a little bit. And we have his Notes ID file. And we're going to make use of both of those, the hash and the ID file in a couple of minutes. And information on his local client where is his ID file located on his local client. So we've sent this all back to us. And I'm going to have to hurry because I really want to show you that. Yeah, if you all want to get up and get some more since we're running behind, if you all need some water, feel free to get up and get it. Now we've got the ID file, we have his hash. The victim's hash and his ID file. And this is where it really starts to get interesting because the password hashes of Lotus Notes are not salted. Unix actually went through this 15 years ago. They figured out they had to use salted hashes. Windows recently went through this. Lotus is just now fixing to go through this. The hashes are static. In other words, this hash of a password, the top line here, will always equal password. I'm sorry, password will always result in that hash. Secret will always result in this. And the next one. So this makes it really easy to create a whole bunch of known passwords or dictionary within a database and build a brute-forcer. Yes, but there's still problems with it because in 503 they had actually implemented an option to upgrade to a stronger hash mechanism. And in 503, although that was implemented, it was broken. So you could actually select in your server profile document and always create new users using the stronger hashing algorithm. And in 504 they fixed it because in 503 it would not do that by default. In 504, oh, thank you. Don't give up. In 504 they had actually fixed that. But I just actually realized the other day on 506 it wasn't working again. So what you have to do is you actually have to manually go back and upgrade all your users individually. And I'll show you how to do that in a minute. But you have to go back and upgrade to the stronger hash, which is the salted hash. So where this gets really interesting is if... I'll minimize this. We're now logged in as the attacker. All right. I'm going to close this so we can see what we're doing a bit better. Now, as the attacker I'm going to pretend like I'm not able to actually switch back and forth because I want to walk you through this. I'm going to detach the ID file to my desktop, which there it is. And I'm going to switch the ID file. Oops. I forgot one thing. I'm going to copy and paste this hash if I can even see it. And when I copy this hash, I'm going to switch to the next user or switch to the ID file I just retrieved. Now, I have this hash pasted in my clipboard. I've got to switch to find the icon here. I had to move this icon over here. This is the program Open Sesame, which will be released in a week, a week from today. Both binaries and source code will be downloadable from notessecurity.com. What we're going to do is we're going to launch this. And since those are static hashes and they're in static places in memory of the client, although they do change slightly between each version, Sesame knows about where those are actually supposed to be stored at. So the hash you're seeing there is actually my hash as the attacker, but I'm going to paste in the hash from the victim now. And I'd like you, since this is your second time, come up here. Now we have, you can't really see it here, but we pasted in the hash in the middle box and the bottom box actually says new user password. So I'd like for this gentleman here to type in whatever password you'd like to be able to use. Okay. I can't even see the screen. I've got to switch back here. Okay, hang on, I have a problem. I've got a parentheses in there, that's why. Yeah, do it again. I think I've got a bug. Okay, I'm trying to hurry. Hold this. Meanwhile, why doesn't everybody take this opportunity to get some more water? Ten minutes before I did a run through, and it worked, but for some reason, something's weird in my environment, it's acting a little hokey. Since we're running short on time, I'm going to skip this part of the demo. If you want to see it, come see me afterwards. We'll go sit out there and I'll show you how it works. A couple of people actually saw this last year, I can talk to one of them if you want to ask somebody if it really works, it does. But what it would have actually done, we should have been able to paste in the hash, and it would have appended that hash that we just pasted in to the new location where it is in memory. And so he would have been able to type in his password, which he was typing in clueless, and he would have been able to authenticate with the ID file using that. He then could have actually logged out of notes, and the new user could have gone back in and typed in his password, and everything would have worked just fine. So I apologize that it's not working there. So we have the ID file validation, which unfortunately don't work for this show. But it does typically actually work. One of the things after we did this at DEF CON, Lotus came back and said, you had to have physical access, so they don't consider it a serious threat. But as you saw, we actually were able to send, get the user to actually send us his user ID and his hash, which then physical access becomes a moot point. So you could actually do this remotely. Yeah. Yes, it is. Yes, it has to be the same. What I hope to have in the next release of Sesame is it will actually pull up from the session in memory. So I'll actually have some VB script that will do that for us. Yeah. Yeah, he asked if the server, or I'm sorry, the minister actually checks his mail on the server console or the server is running. If we could actually have it send the server ID file back to us, which doesn't have a password, yes, we could actually have that done as well. Yeah, that's why he was just asking, this demo actually did, but I'm working on a new VB script that will actually yank it directly from the memory of the user. Because it's a static, each minor release of domino, or of the notes client, stores the hash in a static location in memory. So if you know which version it is, then you just go to that memory location and yank it out. That's actually how what Sesame does is it knows where that hash is and it plugs it in right behind it. And we don't actually overwrite it, because that way, when the attacker can log back out if he's actually got Sesame on a floppy disk, he presses the F5 key, walks away, and the original user can come back in, type in his password, and never know the difference. Yeah, in this demonstration, yeah, the VB script, since we're pulling the HTTP password there, what he asked was does it rely, the HTTP password in this, does it rely on not having the salted password? And in this it does, but even though you may upgrade to the HTTP password and the names and address, but to having the salted password in the ID file and on the notes client, it's still unsalted. Right now in this demonstration, I was pulling it from the names and address, but there's going to be a new version of the VB script, which I also intend on releasing. And then that should be able to pull it from memory. Right, if you try to retrieve it from the name and address book. But because if you upgrade to the salted, it doesn't change what the client itself is actually using. That only affects the web, for the web-based authentication. Yeah, I'm sorry. I know this is part of your business and everything, but when you do the full disclosure, is it going to cover, like, the script? I know you said you can put the Sesame out there. Are you going to have the scripts and the possible corrections for the problems? Okay, so all that will be out there. And that's going to be at the notes-security.com. Yeah, there's also 58 Nessa scripts, which I've written. 58 for every single database of the default installation that goes through... Mm-hmm. Hey, they downplayed it. They did that with everybody. You'll be able to go, like, hey, guys, look at this. Fix it. Please? All right, we're not going to take a break since we're running so late. Okay, on the access control list, we're going to go ahead and skip straight to the server and I'm on Hurry On, so we can let you guys out of here on the access control list of the server. Like I just said, I've got 58 scripts for Nessus. Unfortunately, the author of Nessus was at Black Hat, and I've yet to actually run into him. I actually had to attend a different session, so I didn't get to see his presentation, but I've been working with Nessus for about the last year and a half. And I have 58 scripts just for the server side of Notes databases, because there's 58 databases by default, which are installed on your Domino server. And if you're running a Domino in a web configuration, you probably haven't gone through and checked every single database. And the interface, ACL Reporter is a good tool. If you're not familiar with it, I think it's IBM. You're talking about the Notes database that you run. ACL Reporter is a tool that will run on your Notes server. It will collect up all of your access controls and flag those that have changed and those that deviate from a rule set, so that if you've got a rule that says default access is always defaulted to no access and somebody changes it, it flags it for you, you can go back and see who did it and correct it. Unfortunately, I found most admins will run it and not check the logs. But ACL Reporter, I'm not sure how much it costs. It is possible to duplicate the functionality in Lotus Script, though. Yeah, IBM actually has a database tool. It's actually a database application. You can run on your server, and it will do something very similar in a database as all the current ACLs. Like I said, I've been using NASA for quite a while, and this will do the same thing from the web server standpoint. We didn't have enough problems already. Skip to the next one, I already said that one. All right, these are crucial ones to look at. A lot of times when we've actually, when I've gone out and looked at somebody's server, quite often, well, typically the name is in the address book. If it's actually ever been used as a staging server, staging server, in other words, they've done a whole lot of development on it, and they've ramped it up to a production box for development purposes. A lot of times the admins just gave full access to the name in the address book. Forgot to go back and change it. You need to make sure at least at the minimum, check the top two, name and address book and catalog. The reason catalog, catalog has, its sole purpose is actually to catalog everything on your domino environment. And that includes documenting the access control list of each database. I've actually, one of the nested scripts I've got will go off and query the catalog database, retrieve with just a couple of XML requests. Not a hundred or anything like that, just a couple of requests and we'll pull back everything that's under default and no signature. And since, like the point I made earlier, since most administrators have not created a view in their domlog for XML request, they filtered out everything else. They're only pulling back HTML, what HTML requests were made. They'll never actually see what I've just done. And I now know we're all third party and internally developed notes applications result on their server and what the access control lists are. The server ID. There's, we have still to this day in the notes documentation, there's kind of a quandary with this. Regarding the ID file, like the gentleman over here made the comment, most servers do not have an ID file, do not have a password on their ID file. That ID file for the server is technically the same as a user ID file. The only difference is the information stored in the names and address book. I can use a server ID, load it up in my client, and access another server, not the same server, but another server within the same environment or the same organization, and be able to read it just as if, almost if I was a server. There's of course some exceptions if a database actually has the type and the ACL set to only a server, they'll see I'm accessing it with the client, and it won't let me open that. But a lot, since a lot of you guys don't always have that set, I'll be able to get in and access that database. The ID file, another really good point was the directory traversal. If the ID file was actually in the data directory, then I could retrieve it from the data directory across the web server. So you need to make sure you've got passwords on it. The quandary where I was mentioning was that Lotus actually recommends if you want to use the auto restart functionality, don't set a password on that server ID file. So you've got one part of the documentation that says put a password on that ID file, and another part says don't. So here with the, this is going to get just a touch on the web server. There'll be more information since we're not probably going to get to this. This is where it actually has to do with creative surfing. The URL language for the Domino server is extremely powerful and most applications make use of it. Where we run into problems is that with all that functionality you can do things, you can retrieve information on a badly designed databases. This includes the names and address book. Here we have just kind of a synopsis of how the language is actually structured. I would ask you to consult the developers and the administrators databases, the help databases for the administrator and the developers for more information. But this is basically how it's constructed. Using this you can actually come across and give you a very, very quick demo. I need an explorer. In the example I'm going to show you to retrieve a list of users. The way Lotus actually intended you to see this information from a web browser. I've actually got the literal view name described, appended here after this. In the URL we have the host name, we have the database name, and we have the view name, which is people. What that actually produces for us is what Lotus actually wanted you to see, and it looks like this. We have the listing of the users here, so I'll just pick one of these. As you can see, since we don't actually have... Actually, I believe we do. But if we did not have... No, we don't. We do not have edit access to this, to the name and address, but... So as a result, we cannot see the internet password here. But if we actually just change calling it from the people view to the dollar users view... I can't really read it, but I think that's it. No, that's not it. These screens are just horrible. I'm sorry. Here is the dollar users view. Now we actually... This is a different view in notes, and if we scroll all the way over here, we'll see that in this view, which we've actually changed in the URL itself, will produce a listing which will actually reveal all the HTTP passwords for us, even though we do not have sufficient rights to actually read it. And there they are. They just went by. I'm having a real problem with these screens, guys. So there... You can't really read this, and I apologize again, but these are the HTTP hashes here, where we did not have enough access right underneath the viewable view under the hidden view using the dollar users view. We can now actually pull all this information up, and we can retrieve all the HTTP hashes and other information, which was not actually intended. We see this a lot, and this is what I was talking about with creative surfing by using the domino URL language. When you modify this, the URL syntax of this, you can actually obtain other views, which the developer did not continue to actually be able to retrieve data from. So we're going to skip through here. This is what I was just talking about. And here you've actually just... Since we don't have enough time, this is actually one of the nested scripts, which is running from the command line. And I'm actually retrieving all the information from the name and address book from the catalog database regarding other databases and what their access control lists are. And again, that will all be available on notessecurity.com. So to skip ahead to the conclusions here real quick, there's all sorts of multiple vulnerabilities. I'm sorry, we've only got six minutes left. That's why I'm having to hurry through here. Go ahead. Just move through about every 15 seconds. In terms of workstation security, you can get malicious code to execute. I think we did get that work in where everyone should have been able to see it. With stored forms, we can reset ECLs, bypass ECLs with OLE and API calls. On the domino server security, there's... Using the URL constructs, you can actually view unintended content. You can actually even modify that. You can upload content. You can modify the names and address book using some of those custom or creative web surfing constructs. The server ID can be stolen. Once you've got that, you can get into usually other areas of a notes network. Again, the server ID is just the same as the user ID file. So make sure you've got passwords on those. One other thing, coaxial karma has actually got a couple of utilities. A lot of people seem to be very unaware of this. The ACLs in the notes database are actually just text fields. If you're not familiar with that, I would ask you to actually check out either again my website or landofsilence.com. The utilities you have is called ACL modify and ACL enforce. Using those, you can actually turn on and off consistent enforcement of ACLs or you can actually even modify anything you want in the ACL. They're just little command line shell utilities for modifying databases. This is really important because if you get physical access or direct access to the file system of a domino server, there's basically no security left. Yes. ID can be obtained from the web server. The name and address book with malicious code and email from workstation and local drive gave you demonstrations on that. And unfortunately, I'm sorry, we didn't get open sesame to work there for you. I'll be glad to show you after this. Just come on up and we'll get that running. Again, most of these vulnerabilities can be dealt with using various workarounds. All this will be documented on my website. Go ahead. Don't store the user IDs in the NAB. This is really keen, really important. Don't do that. Store user ID file on your removable media or on an encrypted PGP disk. Don't store server ID files in the data directory. This is, I can typically, almost everyone does this and they name the server ID with the file name server ID. This makes it very easy for retrieving those. Keep it out of the data directory. Put it somewhere else, much more obscure. So it makes it more difficult for people to retrieve that. Choose different passwords. As this gentleman pointed out, choose different passwords for the ID file and the HTTP accounts. Use the strong password hash from Lotus. You'll have to manually upgrade that. Before you do it, I would ask that you check with any third party or internally developed applications to make sure it's going to work if you're using web-based applications because you may run into the problem that using the stronger hash may break those applications. Always exit Lotus whenever you leave your disk. Don't use the F5 functionality. Using Sesame, you can get around that. Enforce ACLs on all databases, but at the same time make sure your operating system is completely secure. Do not run it on a file server. Do not run it on a print server. Make sure it is completely tightened down. Now, let's go ahead. We gotta hurry. Yeah, here again, here's the URL. So you'll be able to go to fallingdominoes.com. And that will basically take you to notessecurity.com. Falling Dominoes is the name of this presentation. But Notes Security, all this information and in greater detail will be available on this website. Keep checking on BugTrack. I've got security zone, Lotus's security zone up here, but don't rely on that as your chief security zone or security website for Lotus Notes vulnerabilities. They've not done a very good job on that, unfortunately. Make sure hire security consultants to come in and review experienced domino security consultants to review your infrastructure. If you're not doing that, you're taking risky, shouldn't be taken. And again, here's the URLs for landofsilence.com, counterpane, fallingdominoes, and notessecurity.com, where you'll be able to find more information later this week. And that's it. Are there any other questions? Yeah. Yes, if the target isn't in T-server? Yes, it will. Yes. Yeah? How many have I been... How many have I actually done, been hired to do? We did some statistics and probably 80% of the domino servers that are out there, which are running as web servers, are completely open. I've been contracted by no more than 10 in the last year, which is really sad. Anyone else? Okay, you guys are free to go. Thank you.