V partnerském fóru (a pravděpodobně i v diskuzní databázi na developerWorks) se rozhořela celkem solidní diskuze o možnosti naboření Lotus Notes serveru.
Když jsem si to tak pročítal, tak jsem si uvědomil, že něco podobného jsem již úspěšně používal před pěknou řádkou let, úspěšně a k mé naprosté spokojenosti. Připojuji originální popis od Evgenyho Kiseleva:
Any user that has designer access to any database on Domino server can reach Full Access Administrator level on this server. So, he can create and run agents with Full Administration privileges. As result, any user with designer access to any server database has access to server’s file system as well as he can list his name in the “Full Access administrators” fields in every server document. Due to Namagent.nsf (Server.Load Setup Agent) database that have Manager access for -Default- and Anonymous, by default every user has Full Access administrator rights on every Domino R7, R8b2 server. It is possible due to incorrect algorithm used by Agent Manager to check the agent signature. Agent Manager does not check signature every time it launches the scheduled agent. It checks it only the first time agent runs. Then Amgr stores agent name and signer name in the agent cache. Next scheduled time Amgr will not check the signature (i.e. validate signer public key with certifier public key, decrypt agent’s code hash from signature with signer public key, calculate current code hash and compare both hashes). Instead it will check only text: agent name and signer name and compares them with text value from agent cache.
Steps to reproduce:
Start position:
- Server Domino R7.0.2 or R8b2
- Vasya Pupkin, simple user without privileges
- Database on the server, having Vasya Pupkin as Designer or Manager in its ACL (for example, namagent.nsf).
Step 1
- Vasya Pupkin replaces design of namagent.nsf to any standard template that have scheduled agent, running on „-Any Server-“ (agent schedule dialog box) – for example, „dominoblog.ntf“ (IBM Blog, Domino 7.02, agent „replicaCheck“). Agent will be signed by Lotus Notes Template Development/Lotus Notes. He can replace design of namagent.nsf as manager by default.
- Vasya Pupkin creates local replica of namagent.nsf
Step 2
- Vasya Pupkin installs Domino server and administration client on his notebook, and registers organization „Lotus Notes“
- Using „Lotus Notes“ certifier he registers user „Lotus Notes Template Development/Lotus Notes“. Now he has self-made (falsified) „Lotus Notes Template Development/Lotus Notes“ ID file. RSA key pair in this ID file is totally different from original, but name is the same.
Step 3
- Vasya Pupkin switches to falsified „Lotus Notes…“ ID.
- He opens LOCAL replica of namagent.nsf with Notes Designer and changes the code of the agent. For example, he deletes old code, and writes his own code:
Sub Initialize Dim FileNum As Integer FileNum% = Freefile() Open "C:agenttest.txt" For Output As FileNum% Print #FileNum%, "Anything" Close FileNum% End Sub
In „Agent Properties“ dialog box he switch runtime security level to „Allow restricted operations with full administration rights“. Then he saves the modified agent. This code is signed now by falsified „Lotus Notes …“. All code modifications were made in the local replica.
Step 4
- Vasya Pupkin checks the agent’s schedule. He discovers that agent runs every 15 min. So, he waits 16 min to be sure that true agent has already run at server at least one time.
- Vasya Pupkin switches to his own ID, then replicate his local namagent.nsf with server. Falsified agent is now placed in the server replica.
- After 15 min he can discover that falsified agent works with full administration rights, and file „C:agenttest.txt“ has been created.
In server document at the Agent Manager tab, in the field „Refresh agent cache“, 00:00 – default time, when Amgr rebuilds its agent cache. You can expect that falsified agent will be discovered after this time, but it continues to run. Agent cache refresh does not work – Agent Manager still believes that this agent signed by true Lotus Notes Template Development/Lotus Notes.
Osobně jsem to nepoužíval až takto vychytaně, ale když mi poslal zákazník databázi, ke které jsem neměl přístup (a která nebyla šifrovaná), tak jsem prostě vytvořil certifikát s jeho jménem a databázi spokojeně otevřel. Nemohl jsem přirozeně přistupovat do jejich systému, ale na otevření databáze (do které jsem potřeboval) mi to bohatě stačilo.
IBM k tomuto tématu vytvořila SPR KHON72EHWT a plánuje (už by snad mohla být venku) vytvořit Technote 1258784. Vzhledem k tomu, že debata se rozhořela skoro před měsícem, tak nyní už by snad mohl být venku (a dostupný) hotfix (adresu nemám :))
A úplně nejdůležitější bod z celé debaty – pokud přijdete na nějakou podobnou bezpečnostní díru, tak ji nemáte zveřejňovat, ale popis poslat na security @ notesdev.ibm.com a dát IBM šanci, aby ji opravila dřív, než se na to přijde.
This issue has been addressed in the following releases of Lotus® Domino®:
Domino 6.5.6 Fix Pack 2 (FP2)
Domino 7.0.2 Fix Pack 2 (FP2)
Domino 7.0.3
Domino 8.0
Cely Technote zde: { Link }