 Well, don't clap yet. You might not like it. We're here basically to want to talk about Lotus Notes and Domino Security. My name's Chris Goggins. I'm with Security Design International. And we have with us Kevin McPeak, Patrick Goonther, and Valter Acima from Trust Factory. Yeah. Yeah, that's the one from the sub that you saw in that movie recently. So basically, before we go into this, I just wanted to touch on something. I understand there was a little talk a few days ago where someone didn't particularly like the idea of disclosure. But you know what? There's a whole difference between reckless disclosure and responsible disclosure. Reckless disclosure is someone who doesn't give anybody's customers, vendors, or what have you, any heads up, and just blast the thing with exploit code so that everybody in the world can suddenly break into things and catches everybody off guard. The idea of responsible disclosure, which we've tried to do with the series of vulnerabilities that we're going to talk about here, we've been working with Lotus, made them aware of things, been working with very large notes deployments throughout the world, trying to make people aware. And just so I don't disappoint anybody, some of the tools you're going to see demonstrated in here, we're not giving out. But once we tell you how it's done, those of you who are clever in the audience will probably turn right around and do so. And what you do with them at that point is strictly up to your conscience. So, sorry, Marcus, here we go. Basically, some time ago, Trust Factory contacted us and said, listen, we found a couple of things that look a little weird. Can you help us? We want to take a look and validate that these things are real and then work with us to try to make sure that we can get the maximum exposure. That's what's bringing us here to DEFCON. With all the media and everything that DEFCON's turned into, I would imagine we'll probably get a little bit of exposure to this. And in working with Lotus, Lotus, when we told them we were going to do a presentation on note security at DEFCON, they said, go for it. So we're here with their blessing, although I really don't think they knew what DEFCON was when they said that. So starting off, basically for those who don't know what Lotus Notes is, you probably won't get anything out of this at all. But just for your benefit, so you can at least follow the bouncing ball, Lotus Notes is basically a secure group wear platform. It gives people the ability to have email, various applications, web and database connectivity. It's basically a little secure sharing service, right? Lotus Notes is also really powerful in that it has several different ways in which you can write applications that run data to the notes environment. It's got its own little formula language. It's got its own macro language called Lotus Script, which is really powerful and you can use it to basically manipulate anything within the notes environment. On top of that, it'll support things in JavaScript and in Java, and there's a C plus API that you can actually code external applications to talk directly into notes. And through that, there's also a way to talk to notes through OLA-enabled applications by using a notes.notes session OLA object. So you can actually do things with word macros and talk to things. But I'm getting ahead of myself. Now, to give you an idea about how big this is, Lotus says at this point they have approximately 60 million corporate users worldwide. That's kind of a lot. Now, the majority of these are running on version 4.6. It's probably the most user-friendly, and it doesn't take up nearly as much space as the later versions. The remainder is running on 5.0, the various versions and releases of that. To give you an idea about the kind of places where notes is, you'll be hard pressed to find anything in the global 1,000 that doesn't have some sort of notes installation within their corporate environment. Just in terms of customers that we've worked with, large power companies, telephone companies, big manufacturing concerns like a lot of major big computer manufacturers, pharmaceutical companies, petrochemical companies, most of the major defense contractors, those of you who some of you are in the audience know. Government installations, state legislatures and federal legislatures, military systems, intelligence agencies. Again, everybody who's been spotted from CIA and NSA, you know exactly what's going on here. And for those of you who we probably talked to before, who came here to see the talk, hope you enjoy it. The CIA is probably one of the largest users of Lotus Notes out there. They pretty much store everything they do within Lotus Notes databases. Going into financial services, big accounting firms, especially those, you know, any of the major big five accounting firms are all using Lotus Notes in order to keep track of merger and acquisition data, corporate tax information and any professional services project that they need to schedule. Banks, insurance companies and the list goes on and on. Now, why on earth would all these people use this product? Well, Notes is known as a secure platform, has a lot of security features, specifically in the way it implements its own little PKI implementation. It has a strong mechanism for authentication and it gives you a facility using your Notes ID file as a key to actually encrypt different databases. It provides access control on a bunch of different levels, including the server, database, document levels, even within particular fields in a document view. You can set an access control and for our friends in the government, it meets the DMS requirements, so that's probably why a lot of you use it. Now, in the coming hour, we're gonna demonstrate a lot of stuff and it's gonna go by really fast, so I'll preface this now by saying the slideshow will be available on our websites after we're done, but we're gonna go through several vulnerabilities, including two new kind of major security vulnerabilities that exist with Notes. The first one has to do with bypassing the Notes execution control list feature and the second one is probably the most serious vulnerability I've ever seen. Basically, allows you to use a Lotus Notes password hash and a stolen ID file to authenticate to the server without knowing anything about the password embedded in that ID file. So these attacks, as you might imagine, can allow users to gain complete control of the Lotus Notes network in a matter of seconds and will give you the facility to completely hide your tracks. Now, I'm gonna turn it over to Kevin McPeak to continue on with some intro vulnerabilities. Hi, I'm Kevin McPeak. You know, I have to give a little, ooh, a little disclaimer here. Sitting up here, I just now realized there's a whole bunch of people from the intelligence community. Being someone from Texas who's now started his own security company in the Netherlands, it looks a little funky, so I don't need anybody and I would ask. I don't need anyone pegging me or raising any red flags. Please don't kill, Kevin. Yeah, please don't kill me. I'm still loyal to this country and all that good stuff. We're out here just to make better software. All right, some of these vulnerabilities here, which we're going to be detailing, actually fall into the following categories in which a particular user could commit acts of vandalism, theft, fraud, and all those combined together enable an attacker to conduct informational warfare. And this is quite a serious issue because there's a lot of government agencies, as Chris outlined, and as well as commercial organizations that are just trying to go about their business and do it securely. Now, some of the things, I'm actually gonna set this down. Try to go on the ones that are here. Several of the major one security problem that we have that we commonly find as security consultants auditing notes installations are problems where users have misconfigured settings because they don't know what they're actually doing or using the default installation settings of Domino. Now, this may seem really simple and everything else, everyone should know better, but nobody does. I would say over 80% of the installations we've audited have this problem inherent in their infrastructure that they've rolled out. These problems consist of access control list, the ACLs, improper settings in the names and address book, server ID passwords, execution control list, stored forms. And there's been several of these security advisories which have already been released by various other organizations, including Loft and various other ones that have addressed this. Unfortunately, it seems nobody's really listening because we're still finding the same problems. Now, in the access control list, if I can get Voucher to log me in here, I'm going to just give you a quick example of what an access control list looks like under Domino. All right, sorry. There we go. Now, for those of you who have never seen one or don't use Domino that much, this is your access control list here. You actually have entries for Domino servers, internal to the organization, Domino servers. These are groups which are created in the names and address book. This here is usually used for external organizations which are accessing your server. This is for the server itself, and this is for either a user or you could create a group of users. And you can see over here that right now this person is a person, not a server, and although he might think he is, and he's a manager to this database. Default is anything which does not fall into what is listed below. So any other user inside this organization will typically fall under the default category. Now, it seems to be a well-known fact, but a very poorly implemented is the anonymous entry. The anonymous entry is anything that is not signed inside Lotus Notes. There's no signature on that database or from that user identity. So anyone accessing this database over the web will have total access, because as you can see, he's actually got manager access. The default installation of Domino comes with several of these databases, including configuration and setup databases that are configured either with anonymous access as a manager or there's no entry for anonymous period. This allows somebody else or somebody remotely to conduct, guess you'd call them pseudo attacks as I'll demonstrate here. This is actually a result of the misconfiguration of the names and address book in which they're allowing browsing of all the databases within Notes. Now they can just, the nice thing about this is you can just click on any one of these, such as the address book, and you're now in the address book. If you don't mind, do you mind if we hold questions till the end? Okay, we will get to you though. So typically within many organizations, during the configuration, either they will accept the default installations or they will enable total access, so just to ease the installation process and let's always forgot them to go back and tighten these security settings. Now, as a problem of this, these are various examples of URLs which could be entered into a browser or some other application which could go off and retrieve the entries using HTTP commands. And these will all grant access to those types of databases if your access control list are not configured. And that is what I was showing back over here. If we actually take a view of the database here, I'm sorry, oh, sorry. One more, one more. All right, that's back what I was doing here. This is the same command that you saw on the other screen in the URL entry. You'll actually see the same command or very similar command which is demonstrated here. The only difference with this, if somebody has actually gone into a database and implemented their own customized navigator, this will take you back, this particular command and this is actually a function of Domino. This will bypass any customized navigators and take you back to the default views. This type of information, I'm sorry we're having to switch back and forth, we thought we'd have a few more screens, enables me to go in and select a particular user. I'll select myself and as you can see I was secure and remove my ID file. We'll take a look at the sum user and you'll see later in the demonstration where this is a valuable little attachment here because now I have access to this, I can read it, I can attach this to my hard drive and you'll see where that comes into play later on. And you've got to protect that type, you gotta keep attackers from having that type of access to your names and address book as well as these other databases. Commonly misconfigured databases, these are examples, there's many more. You have the names in SF, that's your Domino directory or before release five, it used to be called the names and address book. That's what I just poked around in and opened up the person document for. The catalog database is actually a database in which it's an inventory of all the other databases on that server. So I can find just by simply opening this database from a web browser, find all the other databases, the mail files for that particular server. The Domino configuration database is one that's used in release four six to actually set up virtual host and virtual servers on the web. So you could actually, an attacker could actually manipulate this and this one, I believe there was an advisory, I'll have to go back and check, but I believe Loft had actually made an advisory about this because what you could do is you could actually modify and give special URL commands and create a new virtual server remotely. The log NSF, this is where everything in Domino is actually logged on the server. Everything from SMTP emails, serial replication, TCPIP replication, all that is logged in one central database and that's this one right here. If you've got read, write access to this, you can erase your tracks for anything you've done on that server. This is, the web admin is one that's used often to, especially in release five, since there's no more client on Unix host and AS 400 as well as the mainframe versions of Domino. This is commonly used to configure and install, I'm sorry, just configure and maintain the Domino server remotely from a web browser. And these databases are used for the setup, configuration and installation of a Domino server. And this one is typically left on a server with management access for the whole world. And there seems to be a really bad user education that you need to either delete that database or tighten the ACLs. Within the names in SF, these are some of the valuable points of information that you can retrieve. Patrick's going to show you later how we can actually retrieve the HTTP password hash. And we can use that in a particular type of attack to gain access to the Domino server. Quite often ID files when the user is created, administrators have a tendency to think, well, we'll just leave the ID file on the Domino server in the person document. And that when they set up their notes client, they can actually just pull their ID file when they set up their notes client. They forget to detach it. This is really bad because if I can open up that names and address book, I've got their ID file. And I can build a little program to sit there and brute force the password. Or as you see, we've actually done even one better. The database does not contain usually an anonymous entry in the ACL in names.nsf. And there's a tendency amongst administrators to actually go out and set up manager access just for everybody while they're configuring a server. And they forget to go back and change that when they roll out Domino as a web server or an email platform for an internal server which is running their entire organization. All the names.nsf helps really give a remote attack or a blueprint of the organization how Domino has been deployed in that organization. The catalog.nsf, I think one of my colleagues is prompting me to talk a little bit faster so I'll try to race through here. The catalog.nsf, that's one of the ones I was mentioning earlier, which databases all the other notes databases. So it's actually got entries. Where are they located on the file system? Which server are they actually located on? The Domino config database. This is the one where you've actually got, configures the virtual host and virtual web servers which I mentioned earlier. And I'm gonna skip through these since I mentioned them earlier. In all of these, usually the ACL, the default ACL is actually misconfigured or people have not really gone back and checked their settings on all of these. And one of the last most important things there is a tendency among Domino administrators when they're setting up a server, they wanna utilize things like the auto restart feature of a Domino server. And they think, well, okay, you know, it's a server nobody's gonna steal this ID file because I've tightened down the security, I've turned off NetBiles on my NT server while I don't run network file services. But there's usually a ton of other things running on that server that they haven't thought about. And if there's some sort of form of host-based security on that server, we can usually violate that to gain access to the file system. Once we have that, and if the operating system allows us to just read the file of the server ID, we can retrieve that and we can actually create a new server on our system and we can use that to replicate with another server, not the same one, but another server inside that organization and retrieve databases from it to our local machine and compromise the company's data. Now, I'm going to hand this over to my next colleague, Walter Alkoma, who's going to demonstrate some other attacks, which cover some of the securities that I've talked about and some new ones. And here he is. Thanks a lot. Okay. Basically, what I want to discuss is two things. Two methods of attack. One is dealing with stored form vulnerability and the other one deals with the OLA interface to the LoadsNotes client. I'm going to start with the stored forms, but before that, I think it's good if I explain a little bit about LoadsNotes databases, so you'll know what a stored form actually is. A Notes database consists of data in the form of structured data, rich text or HTML. Next into a database, you also have design elements defined and one of them is forms. A forms is used to rendering that data and it also contains programmable events. A stored form is as follows. Suppose you're going to have a document, a piece of data that you want to transport to another database, but the form definition for rendering that data is not available. Then LoadsNotes allows you to, has a very powerful feature, allows you to accompany that data with a stored form. Another additional feature within that stored forms is that the LoadsNotes SMTP agent can use that so you can actually transfer email messages, LoadsNotes email messages with stored forms over the internet towards another nodes environment. The stored form vulnerability was actually dating from 1996, so this is not something new I'm telling you here. At least it should not be. The first occasion that I could find was the guy, Oliver Berger from Germany and he reported this to Loaders and the Spiegel, which is a German magazine, spent an article on it and somehow I don't think it got the attention it should have gotten. Anyway, Loaders responded with the execution control list as a method to defend the user against potential hostile contents. However, and this is what we see in practice with our clients, we are now four years later and what we see is that very few people or very few organizations have the execution control list set up properly. In addition, very few people disabled stored forms on their mail file. So in fact, still very many people are vulnerable to this attack, which is dating back from 1996. How would you perform a stored form attack? It's basically very simple. You take your mail file, take a copy of your memo form in the mail file, eliminate the code that Loaders notes put into the programmable events and replace it by your own. So what you can do is either make it launch an executable automatically or program something in the query open or post open event and as a result, you can launch any type of code or executable without user interaction. And again, this is back in 96, okay? Because I don't know Chris, maybe you can comment on that but there was some virus going on lately and they claimed that this was the first virus that did it without user interaction. That thing comes back on. Yeah, do you remember, I guess it was last year or so when Bubble Boy made the rounds because the view properties within, I guess it was Outlook Express, it would actually execute native VB script. Well, notes can do that too. Just by looking at a mail message, which founder's about to do? Exactly. Okay, I need to switch to my, can I use this microphone? Is that on video? There you go. Okay, first of all, I'm gonna explain a little bit about the setup that we have created. On this laptop here is gonna act as the victim. Okay, and we're gonna perform an attack from this attacker. We have several users set up. The first user that we're gonna attack is named R46 user. That's kind of a stupid name, but I want you guys to understand that this is reflecting a release 4.6 default setup. Okay, and the laptop I hold over here is the attacker. I'm logged in as Voudra Okama. I'm now gonna attack this client. I've prepared stuff a little bit, so instead of creating a stored form, I've already created it and sent it over to R46 user. And I have to log in now. I have to provide a password. Okay, I'm gonna log in. And what you see is the user has received an email. What I'm about to show here is that I'm gonna press enter, and when I press enter, which is normal user behavior, you're just gonna open your email. But I'm opening that email, I'm gonna launch notepad.exe, which is an executable. This should not be able, because I could launch notepad, but I can also launch backorefis or any kind of other hostile code that you wish. Take a look. I'm gonna press enter now. User's opening his email, and without anything, the notepad has started. And actually, as a kind of joke, I put in the advisory that Lotus wanted us to make here, so we'll get back to that later. Okay. What are the observations that we can make? Well, again, no user interaction was required. Secondly, there was no warning presented either by the operating system or by Lotus nodes prior to execution. And why? Because ECL was not configured properly. Within, as yeah, and that's number one, and number two is the stored forms were enabled. Lotus came up with the execution controllers. What is the execution controllers? Basically, what it does is it allows you to specify signatures that you trust. And per signature that you trust, you can specify what type of functionality you allow that signature to perform. Apart from the list of trusted signatures, you have two more entries. One is a default entry, that is for all other signatures that you have not specified, and one is the no signature, which is for code that has no signature. What are the common ECL problems? Well, again, as stated before, there's very few people out there that understand the ECL concepts. Number two, ECL settings are stored in a very obscure location. I don't know if anybody, if you know about administrative ECLs, they're stored in some hidden location, somewhere in the nodes directory. You can find them and you can manipulate them. Within the user's desktop DSK, there are also ECLs. There are also ECLs specified. But most important of all, prior to release 502 of Lotus nodes, the default ECL allows all functionality to any type of code. And that is very important. So when you are then installing a new node client, it's gonna allow for any type of hostile code to execute. Lotus has recognized this, and as of 502, they've reversed it. It's now as tight as tight can be. Which also presents a lot of warnings to people. But, well, there's two undocumented ways to reset an ECL. One is the formula that's called alpha refresh ECL. And if you specify either a non-existing administrative ECL or anti-parameters would do fine, you will reset the ECL at the client. Now mind again, that prior to 502, this is gonna end up in a situation where the client will all allow all functionality. The second method to reset the ECL, actually the title of my slide is a bit wrong, it's not removing, you're actually resetting it. The second method to reset the ECL is to remove the ECL setup equals three line from the nodes.ini file, which is a settings file for Lotus nodes. If you do that, the next time the node client starts up, ECL has been reset. What is the ECL attack about? Well, we have discovered with our research that the ECL is not capable of intercepting API calls into the nodes client. So that only interface of Lotus nodes is using the nodes API. So it's also not being intercepted by the execution controllers. I'm gonna show a little demonstration again, going back to my screen. Again, this is the victim, this is the attacker. In order to reflect a release 502 user with a very tightened ECL, I'm gonna have to switch to another user, which I have defined, which is Mr. Somm user. So I have to switch the location document here and I have to provide a password. Okay, I have a very slow laptop, I'm sorry about that. Okay, I'm gonna open an email. Again, from the attacker, I've prepared this demonstration a little. And what I've done is the following. I have sent this victim an email. And that email contains an attachment, which is an HTML file. The HTML file consists VB script. Okay, so that's why I'm gonna use Exploder to launch it. The VB script is making all the calls into the node's client. And I'm gonna have this victim perform all kinds of functions that should not be allowed. Let's first take a brief peek in the ECL itself. If you go to File, Preferences, User Preferences, Security Options. As you can see here, this is an ECL that Lotus is recommending. Default, there is nothing allowed. So as soon as any type of code tries to perform an action, it will pop up with an execution security alert. The same goes for the node signature. And Lotus Nodes template development is allowed all functionality. Reason for that is they shape the templates. So if you wanna be able to use your mail, this needs to be on. I'm gonna launch this file. And this is also gonna take some time because I have a very slow laptop. We rented it, by the way. What I'm gonna, what the code is going to do is very interesting. First of all, it's gonna modify the access control list on this victim's mail file. It's gonna change the entry anonymous into manager access. So the result is that you end up with a world access situation on your mail file. Secondly, this piece of code is going to send an email back to the attacker. Now all of you know that if Internet Explorer tries to launch ActiveX, and it's gonna come up with a warning, I bet there's guys out here that know plenty enough to go around those warnings as Loft did with their advisory a couple of weeks ago. I didn't put any energy in that. So I'm just gonna press yes. Yes. There you go. Nothing happened. Yeah, it's a regular HTML file. And the user didn't notice a thing. Let's go to the attacker, and let's take a look at the end result of this. Which, one down, okay, thanks. This is the attacker. There's about the alchemist's email, and I'm gonna open my email. And it worked. I received an email from Mr. Samuser with a subject ACL updated for the mail file of Samuser. I'm gonna open that email, and what I have here is a URL pointing towards that user's mail file. So let's click on that. Pop up Nascar and see what happens. There you go. I'm manager. Sure. In order to show you the ACL, I'm gonna switch back to the victim. Laptop here, which is on the screen. So pity we don't have two screens, but. We're back on the victim's mail file. Now, the third thing that the email did, that the piece of Phoebe script did in my HTML file, is I deleted the document. So all traces are gone. What's what happens if I try to open that email? Oh, it's already gone. You see that? Sorry. You wanted to look at the ACL. File, database, access control. And as you will see, default has no access. Anonymous has manager access. If you take a look at the log, you will actually see that this happened just now. Well, another interesting piece is that the user performed activity himself. Not me, but the user himself. Okay? With a little bit of imagination, there's a lot of things you can do with that Phoebe script. And I want to point out just a couple of things that we came across doing in our research. One of the things is that, hold on. One of the things that we discovered is that design elements in nodes databases, such as the mail file and those kind of things, they seem to be having a fixed node ID for databases that share the same template version. What does that mean? Well, if you look at the mail file, there's for instance the memo form, it has a node ID. And that node ID is going to be same for all the same versions of Lotus nodes. If you access that particular design element, not as a design element, but as a regular nodes document, there's a function for that, get document by ID, then you will find out that you can manipulate that design very easily. And again, with that Phoebe script, that'd be relatively easy. So, back to my first demo where I talked about stored forms. Well, we saw that the stored form is actually an attribute that is set in the icon document of a database. And if you go access that icon document, that's a regular nodes document, you will see that in the dollar flags field, there's a small F character, which indicates stored forms are not allowed. So if you remove that small F, you're back to the zero basically because you can send stored forms again. Well, the same goes for DB scripts, all those kind of things. What can we learn? What can we see from this type of attacks? Well, first of all, again, ECL does not intercept API calls. Secondly, payloads execute on full behalf of the nodes user. And also, not unimportant, the nodes client is not being used. The application is running external to nodes. Recommendations, how can we cope with this vulnerability? Since all of them calls will make use of the registry, we advise you to take away the following settings, that's the nodes.nodes session and nodes.nodes.UE workspace, take it away from the registry because that's your way to disable all the hooks into Lotus nodes. Now, a little side note, there is many external applications that are interfacing with Lotus nodes. They will no longer function. So there's a judgment you gotta make yourself. Do I want security or do I want functionality? Secondly, very important, prior to launching attachments, make sure you clear your user preferences. That way, if some hostile code tries to hook into the nodes client, it won't get anywhere because you'll be immediately prompted with a nodes password prompt and you will know something is going on. I thought, kind of obvious, the internal nodes viewer is not capable of running any hostile code. So use the internal viewer where possible for Word documents, HTML documents, any type of active content that you might come across. Okay, I'm gonna hand over this one to Chris and to Patrick Gunther, who's gonna do some more heavy stuff. Patrick's gonna be picking up the keyboard stuff and I'll go ahead and babble because he's happier on the keyboard and I'm happily babbling. Now, we've talked a lot about using F5 to clear out the user credentials. Like if you're walking away from your desktop for some particular reason, Lotus says, hit F5 because that's gonna force you to reauthenticate or at least reenter your passwords in order to unlock your nodes ID file. Well, there's some stuff about that. First thing, what Patrick's gonna do is pop up a external application that's gonna try to make a call into a nodes document in a situation where F5 has been entered on from the desktop, okay? He's hitting F5. We should supposedly be locked out now. So he's gonna launch this external application. Yeah, we're out. All right, so he's gonna launch this external application that's gonna attempt to connect in there and because we've hit F5, you still have your thing shared. We ran through this before, bear with us, he's gonna go in and unshare. So at least you see that going. Right now, the user ID is actually shared but we'll fix that. All right, so we're not gonna share that anymore. So external applications can't do a direct call into that by talking to the stored credentials in memory. Okay, so he's tried to connect and it's prompting him for a password. Now, what's going on in the background is when you hit F5, what you think is happening is that your credentials are being completely flushed from your workspace but what's really happening is the client's being instructed that it's dirty by basically flipping a bit somewhere in memory and if you wanted to take a look, you could flip that bit back because your credentials are still stored in memory. Your credentials have to be in memory because Notes has a remote replicator service that constantly talks between client and server so it can update your databases. Well, how could your client talk to the server if it didn't have some way of authenticating the server? It uses that stored credentials in memory to perform this function. So what we've got here is a little tool that's basically going, well, it's a little multifunction tool. The first function we'll do of it is basically turning back on that shared attribute for those credentials in memory so the external application can talk to it just fine. And there we go. So now we're back into that one. Now, just as we said before, once you've got access to that cache memory location, it's gonna remain cache so we'll be able to access that for as long as we have the session open. And basically it's just one little register that's being set. Now, the vulnerability, obviously, a little external program. I mean, we're doing it here locally on somebody's desktop but there's ways to do it using Phoebe script or anything else that we've talked about through some of these other attacks to perform the same function. Now, one of the things, of course, that makes sense, you're not gonna be able to access any databases other than the ones that that user has access to. This isn't granting us any sort of super database browsing capability. We're just able to sort of unlock that guy's workstation. But we're moving on to other stuff. Now, this is a basic recommendation. F5, don't use it. If you need to leave, if you gotta go to the bathroom and you're that worried about it, shut down notes, turn your machine off, whatever. But don't think F5 is really gonna buy you something because if someone can walk by your desk, they can just unlock everything and get your credentials back. Now, just talking a little bit about a thing called the HTTP password hash. Lotus in the names and address book keeps track of a thing for web-based access into notes. And basically they're using a modified RC4 implementation where a passphrase is then hashed using RC4 but rather than using a dynamic table they've got a static set of plain text that's constantly used as the reference to generate the hash. So essentially, Lotus isn't using a salted hash. Where people using Unix figured out a million years ago that if you're gonna use Desu, you need to salt it with something. Apparently, Lotus decided that wasn't a good idea so they're using this static thing to generate hashes. So what you end up with, if you actually look in the names and address book, any time you see, oh, well, we're in the names and address book now. Yeah, it should, you're up. If you go over to a field, you'll see HTTP passwords in the names and address book. Yeah, there are some hashes. So anytime you see a hash beginning, three, five, five, E, nine, 80, seven, B, five, nine, et cetera, et cetera, that's password. Anytime you see zero, six, E, zero, eight, blah, blah, that's secret. If we go back over here. I'm not gonna read it, you read it. Anyway, anytime you see that, and it becomes very obvious when you start looking through people's names and address book, all of this guy's using a password or password. And because of this, once you figure out the way the hashes are generated, you can make a very, very easy, dictionary-based hacking program to go against the hashes in the names and address book. So that's fun, but wait, there's more. Now, inside the notes user ID file, notes was set up in such a way that the ID file's providing a lot of different layers of security. It's providing strong authentication and access control because of the digital signatures used. You have real good file system integrity and non-repudiation and because it's used as an encryption key, you've got confidentiality. Sounds great, right? Well, taking even more. The ID has basically the private and public key, information about the user, an expiration date for the ID file, basic ID integrity control so that no one can go in there and muck around with the user ID file because it'll fail check sums. The ID file's necessary in order to unlock your client so you can do local databases. It's used in authenticating to a server so you can actually do client-to-server communications and it's referenced through notes programs that are using the native notes API call. Now, one of the things about the client with respect to the ID is there's sort of a an arbitrary delay that's built into the client to keep you from trying brute force attacks and logging in, you know, one, let's take a second and then two seconds and then 10 seconds and then 30 seconds and it can even lock you out from attempting again. Now, the digest of that user ID file is actually stored in the names and address book and it's sort of referenced with HTTP hash. And, you know, another feature that the client has is it has auto lock off features and F5 features but we know those don't work anymore, right guys? And it has the ability to share user IDs like we just did so external applications can happily talk to your existing credentials. Well, here comes the fun stuff. Basically, there's a mechanism by which you can use someone's HCE password hash and an ID file, both of which will explain a couple of reasons on how you might be able to get that information so that either on your local area network, since you're gonna have access to your names and address book or any service you have access to, or outside from the internet by getting this information, either by directing a user towards some hostile webpage or by sending them a mail message with stored forms or what have you, you can obtain this information and use it to authenticate to a remote note servers as that user. Now, how does this basically work? We're gonna walk through a demo here. The first thing we do, since we've got this names and address book up, we're gonna go ahead and steal an HTTP password hash. So we got that highlighted, just toggling that over. And now we're gonna pull up that user document for that person, and we're gonna detach that guy's user ID, make a copy of it, put it on our local desktop. Okay, so we've got that over there. Now from the notes client, what we wanna do is switch to that user ID we just stole. And it's gonna prompt us happily for a password, just like normal. We don't know the password, this is something we just stole. So the password could be anything, but it doesn't matter because we have the hash. So, basically, using that same little nasty tool, we're gonna go in there and we're gonna replace in that memory register where the existing credentials are, that hash we just stole. That's what the same as the note test? Yes, it does. And doesn't the notes documentation recommend not doing that because they've already said the HTTP hash is not as secure as the notes. Yeah, they did say that, but in most installations you'll notice that most people are still synchronizing HTTP and notes IDs and people have gone to extreme difficulty in trying to do that synchronization. It goes completely against reality, but. Not at all. Well, it's actually, if I can say this real quick, it's actually when you register a user, you got a little checkbox that says make the register as a web user, and it will actually set that HTTP password to be the same as his ID file. You also have a checkbox that says save the ID file to a disk as opposed to the ID. You do, but it doesn't default to it. No, it doesn't. Yeah, but you know, obviously, since you're paying really close attention, we'll assume your shop is a really large notes user. So, we're not saying that every major deployment of notes people don't have their act together because some do. Some of the customers we've talked to weren't gonna be affected by this, but they're still affected to other, some of the other things we've talked about. But, unfortunately, you're the exception of the rule, guy. And, you know, we've got customers out there with 80,000 different notes clients in one organization or another one that has 115,000 and another one that has 175,000. I mean, this is a big deal and anyway, we'll continue on. You can go home and sleep well tonight. Most of your colleagues at the audience won't. So, basically, what we did is we replaced in memory that hash with the hash we stole from the names in the address book. We've now authenticated as the head user. We're gonna pull open his mailbox and lo and behold, we're now that user. Now, as you said, there's a couple of things. Yeah, F5 doesn't clear your path through your private information so you can get hashes locally. You can get hashes by browsing something from remote. We've also implemented the same functionality for that particular tool into ActiveX so you can have someone browse a web page. You'll take their hash credentials from their memory location and steal a copy of their ID file. You know, and with that particular implementation, you're not using the HDB password hash. You're using the actual hash that's generated for your existing session. So, even if your HDB password's different, if I can convince you to go to my ugly web page, I'm taking your user ID and the hash for your actual logged in session. Not, so it's a little bit different because it involves a little bit more user interaction but it's still just as nasty. Did you wanna do that one? Yeah. Okay. Yeah. This one's just, this one isn't the full nasty example but it will, it's gonna mail back the hash information back from RoPlay. So, we're connecting up, there you go. There's the hash information that's pulled from memory. So, and that doesn't necessarily have to be the HDB password. That's the, you know, it's unfortunate and what they're using to generate HDB password hash is the same mechanism they're using to generate the credentials to unlock your private key. That's what unlocks your private key. Your passphrase doesn't, your passphrase generates that hash that's in memory. That's used to unlock your key. Oh well. So, as a basic summary here, password hash, you get it in the notes, notes, names and address book, which you can look at with a notes client. You can look at it with a web browser or you can get it from native memory in an active notes session. And for the ID files, well, most people unfortunately don't practice good host-level security. So, you know, people are sharing C drives all over the world. People are sharing stupid stuff. People have NFS mounts with things with their notes ID. People storm in a central directory on the notes server that's accessible by everybody. So when Doofus's hard drive gets reformatted and the system administrator doesn't wanna build them a new notes ID, they have a copy of it somewhere. Or they just leave it by default and the name's in the address book. So, that's not good. So this information is out there and it's fairly easy to get. Chris, I was asking you a question. Can I go back to the web browser and hear what? Yeah, the active exit pulls the hash out? Yeah. Okay. You know, and on a lot of these, like we were saying before, you're gonna see, anytime you send in these things out there, since it's VB script running in an HTML, you're gonna get those Explorer messages. Because, you know, different security zones and whatnot. But how many of you use Explorer and how many times a day do you see that message and how many times do you ignore it? If you're like anybody else in corporate America, you'd probably go, well, gee, I'd rather have my porn than worry about that. So I'm clicking yes. So just in summary, I'll hand this back over to Kevin and we'll finish up the summary. Excuse me, Patrick. All right, so how many of you found that interesting? Yeah? Very. All right. Well, good, because I sure as heck did. And really, you really are an exception. And the whole purpose of this is so that... And we found you. We found you. The whole purpose is so everyone thinks like this guy here. That is really the whole purpose of this presentation. Our recommendations for this is to restrict access from the web. So this could have various meanings. If you don't have a purpose for running a domino server on the web, HTTP service, disable it, kill it, get rid of it. If you do have a purpose for running it, then make sure all your ACLs are tightened up. And this is a pain in the butt. I know, I wish Lotus had better tools. It got a little better in version five. Yeah? Did you say ACLs or ECLs? ACLs right now. ACL reporter is a very good tool for that. Okay. I live right somewhere. Well, I think it should come just with the default install of domino. So not everybody, a lot of people have gone out and spent thousands on this and they can't, yeah. We all know that feeling. Don't forget to remove, don't, okay, sorry. Don't forget to remove the user IDs from the NAB. Get rid of those things, you know. Put on a floppy, stick the floppy in the safe. But don't keep that in your network address, but name an address, but. And like this gentleman out here, choose different passwords for your ID files and HTTP passwords. There was something on here and I want to, okay, no, we do get to it. And I mentioned this. This is something, now this is something when we reported this to Lotus, this is important that Lotus asked us to mention this. The strong password hash, there is in release five, there is a strong password hash that you can actually set in the domino server profile document. Four six on. I'm sorry, well four six on, you actually have to set an I&I file. But in release five, you can set in the server document. But one of the things which when we first reported this problem to Lotus, they actually went back and they did their homework and they came back to us and they said, you know what, using this is actually broken. So when you register a user, you need to go back and manually upgrade him to a stronger internet hash. Because they had not even realized it was broken until we started talking to him about this. So you need to go back into the person views, select all the users and there's actually a pull down menu under actions and you can actually select to upgrade to a stronger hash. And you'll notice a different format for that hash. And when you notice that different format, then you've upgraded and it should be somewhat more secure. Does that mean it's completely secure? Your guess as good as mine. We're gonna check that next. When you're leaving your desk, close the whole thing down as Chris said, you know? I walk by so many places when I go into auto to place and the screens are up, people fit F5 if they've done that. But close it down, especially if you're the secretary to one of the directors. You usually have the same access he does and you're putting him at risk. Never click on any email attachments, never run anything. If it's a Word document as Valter mentioned, if you've gotta open it, you know, don't accept them for one, you know, try to get something like PDFs, but if you've gotta open it in the viewer and notes, we're not completely sure that that's even secure, but we're not sure about anything. Enforce the ACLs on all the databases, make sure that you've gotten through, as I said earlier, check, make sure that you've gotten really tying down. Restrict the anonymous browsing for default databases. If you're running an older version of Domino, this is gonna be turned on by default. The newer versions, this is actually turned off. If you've enabled it for some sort of system administration or internal development, before you deploy that as a web server, go back and check that. Now, this one is very controversial. Disabled store forms on mail databases. We are aware that there are a ton of applications built for Domino, third-party applications, sometimes internally developed applications, that take advantage of this functionality. And when we were discussing this with Lotus, when we had our conference calls with Charlie Kaufman and Kevin Lynch and discussing this, they pointed out to us, you know, that there's a lot of applications that use this. Our next question was, do you guys have it enabled? Take a guess what the answer was. Enforce strong ACLs on all unsigned and untrusted documents. Especially if you're running 501 or earlier, you need to check this. This is kind of obscure setting if you're not familiar with it, go back and read the documentation, figure out where it is and set it correctly. Ensure strong host level security of all note servers. Chris can tell you lots of stories as we can where Domino server is only as strong as the platform it's actually running on. If that's not secure, your Domino server is not secure. If I can pull down your notes database and I can open it local, your data's not secure. If you've got more information, feel free to visit one of these web pages. This whole presentation, we hope to have PDF by tonight, tomorrow. The PowerPoint slides will be up tonight. Yeah. And we're gonna make sure to get the PowerPoint up tonight because I'm sure a lot of people wanna go back and review this for whatever reason you horrible people wanna look at these at times. But I assume there's some valid reasons for people wanting to see this. So we're gonna make sure it's available on the websites and we're gonna try to transcribe this and put a little bit more detail in a white paper that we'll be working on, which will happen sometime in the future. But as you might imagine, we've been a little busy lately with this. So the white paper will just have to wait a little bit. And finally, on there with Lotus, if you guys aren't, they don't need to see me. If you guys haven't been, for those of you who have major notes deployments and you're not constantly keeping abreast of what's going on with Lotus and updating and keeping patch levels, fixes come up for a lot of things all the time. And if you're not applying them, you're so far behind the curve that all of this is gonna take you forever to catch up on. So get on the hook, it's your responsibility. So I guess question and answers.