Vulnerability Development mailing list archives
Re: Another new worm???
From: edurflinger () CORNINGDATA COM (edurflinger () CORNINGDATA COM)
Date: Wed, 28 Jun 2000 08:34:33 -0400
Lotus Notes can be locked down incredibly tightly. Here are a few items that answer the concerns below: * Fetching email to a remote client takes place via 'replication'. Under the 'Replication -> Settings' menu, you have the option to retrieve the headers and first 40K of 'rich text' only. This doesn't help you, however, if you're reading your mail file directly from the server. * Programs running on the server (known as 'unrestricted agents', including LotusScript, JavaScript, or Java) only run under the authority of the user and have no ability (yeah yeah, no known ability) to break out of that restriction. Users must be specifically enabled to be able to run unrestricted code. * Every client features an 'execution control list' which determines those program elements allowed to run freely on the client end. These ECL workstation setting can be managed centrally from the Notes administrator and pushed down to the client. Unsigned code can be restricted from doing absolutely anything to the client - access the filesystem, environmental variables, whatever. * Available built-in 40-bit port encryption between the server and the client and native support for SSL makes attacks against the replicatino protocol difficult. * Thorough ACL support allows any database to be restricted only to registered Notes users, who are authenticated via client certificate. The maximum level of access an Web user is allowed to have can be specified separately from the normal ACL, meaning that even authorized users can be restricted from editing documents via the Web. Like any program, Notes can be configured insecurely. But if you enforce a client ECL that allows only code signed by the local certificate authority to be executed by the client - if that - mail worm exploits become virtually impossible. Assuming that bugs in the client don't prevent that. :) The R5 client *is* still quite buggy... Connor Durflinger Consultant / Trainer Corning Data Services 607.797.0523 On Mon, Jun 26, 2000 at 09:23:53PM -0700, Blue Boar wrote:
Someone had asked who uses the scripting features in e-mail clients. If you count Notes, I've seen some fairly involved applications written in Notes. An old employer of mine did their entire purchase order system in Notes.
Massive scripting combined with a very buggy client. The features that are /supposed/ to be there don't work reliably. I can't imagine they've done a good job with security. The databases it uses to store messages get corrupted regularly (mine just lost track of which of the 500 messages in my inbox had been read). Don't forget that just about everything is also exposed through a web interface - so you have an additional vector for doing bad things. (Is it possible to create a message that appears substantially different in the Notes client and via the web? Formatting changes. Tables disappear. Perhaps it would be possible to create messages that read two different ways?) Attacks on the replication facility would be interesting as well. (This is a facility whereby a user can download a working copy of a frequently used database to their local machine and then keep that copy synchronized with the master - at the least creating "interesting" things in the local copy would be fun. Erik
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 26)
- Re: Another new worm??? Mark Rafn (Jun 26)
- Re: Another new worm??? Blue Boar (Jun 26)
- Webramp 310e Call Back Tom Sutherland (Jun 27)
- Re: Another new worm??? Erik Debill (Jun 27)
- HP's OpenMail 6.0 for linux. Larry Cashdollar (Jun 27)
- Re: Another new worm??? Dimitry Andric (Jun 27)
- linux-ftpd 0.16 is also vulnerable Paulo Ribeiro (Jun 27)
- Re: linux-ftpd 0.16 is also vulnerable Daniel Jacobowitz (Jun 28)
- Re: Another new worm??? Dan Schrader (Jun 26)
- Re: Another new worm??? edurflinger () CORNINGDATA COM (Jun 28)
- Re: Another new worm??? Dan Schrader (Jun 28)
- Re: Another new worm??? Blue Boar (Jun 28)
- Re: Another new worm??? tschweikle () FIDUCIA DE (Jun 28)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 26)