Re: Is R5 exposed to stored forms exploits?

[pguenther () lndmt com]

Yes it still is under certain conditions:
- The Notes mailbox is set to accept stored form
- The ECL settings for the worksation allowing to do anything.

By default the notes mailbox is set to allow the usage of stored forms 
where you can store a malicious code
Starting release 5.0.2 the default ECL has been defaulted not allow any 
operation for the malicious code.

Now if a user opens it's ECL, ( The operation is done at workstation level 
and is global to workspace) yes the risk still exist

Patrick





"Grank D'souza" <gd_souza () hotmail com>
18.09.2001 00:09

 
        To:     vuln-dev () securityfocus com
        cc: 
        Subject:        Is R5 exposed to stored forms exploits?

--------------------Short version of the issue-------------------------
Is R5 Domino/Notes environment vulnerable to the stored form exploit over 
the Internet?

It seems that SMTP-routing stored forms emails changes them into 
attachments 
and Notes-routing stored forms requires cross-certification.

Given these two issues, is the danger of stored forms from Internet still 
a 
reality?

-------------------Long version of the issue----------------------------
It has been long known and recently publicized (DefCon 7/2000, BugTraq 
2/2001, Lotus 4/2001) that stored forms (also called active content, 
mailbombs etc) via emails can carry malicious code.

In R4.x world, an internet attacker could embed malicious code written in 
LotusScript in emails and send them by choosing "Maintain Notes format via 

the Internet" (or such some option available in Actions - Special Options 
menu ).  This email when read by the recepient would cause damage(there 
was 
no need to launch any attachments).

With the R5 release, one can route messages over the Internet using "SMTP 
routing" or "Notes routing".

The use of an R5 machine process SMTP-routed emails converts the stored 
forms into the annoying attachments called either "encap2.ond" or "c.dtf". 
 
These attachments can't be easily launched and the stored form code is not 

easily executed.

The use of "Notes routing" - can maintain stored forms - but requires 
cross-certification (so I have been told).  Again an attacker would not be 

capable of cross-certifying.

Lotus still recommends that stored forms be disabled in R5 - but does not 
specify if the exposure is from internal users or external users.

So, do we still have an exposure from stored forms in R5 - or can we sleep 

peacefully at night?

I appreciate your expertise and input on this matter.

Regards.

- Grank.
------------------------------------------------------------------------

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp