[NEWS] Lotus Domino Web Administrator Template ReplicaID Access

From: support@securiteam.com
Date: 11/13/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Lotus Domino Web Administrator Template ReplicaID Access
Message-Id: <20011113181340.E51C6138BF@mail.der-keiler.de>
Date: Tue, 13 Nov 2001 19:13:40 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Lotus Domino Web Administrator Template ReplicaID Access
------------------------------------------------------------------------

SUMMARY

Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web
services that allow users to interact with Lotus Notes databases.

NISR have discovered a feature of Domino's web server that allows an
anonymous user to access the Web Administrator template file
(webadmin.ntf) and use some of its functionality. Normally webadmin.ntf
should not be accessible and as such, this poses a high security threat to
systems running Lotus Domino.

DETAILS

Lotus Notes Databases can have one of several file extensions such as
nsf, .ns4 or .box and when the Domino web server receives a client
request it examine the request to decide if it is for a Notes database
file. If it is Domino for looks for the file in the \lotus\domino\data
directory; if it is not Domino looks in another directory:
\lotus\domino\data\domino\html. Some Notes databases are derived from
template files that have an .ntf file extension. These template files
exist in the same directory as their .nsf children; however, making a
request for a template file causes Domino to search in the latter
directory, but as they exist in the former, the web server fails to find
the file and returns a File Not Found (404) reply.

Another way to make a request for a database resource is to use the
database's ReplicaID. A ReplicaID is a 16 digit hexadecimal number that is
use to track concurrent copies of the same database over different
systems. It is therefore possible for a user to access a Notes database
template file by making a request to the web server using the template's
ReplicaID. Of all the templates, only the Web Administrator template file
seems to be dangerous. Anonymous users can read any text based file on the
system that Domino has the permission to access as well as enumerate all
databases on the system. If the Domino web service process were running as
root or SYSTEM then an attacker would not be limited to the files they
could access. This problem is further exacerbated by the fact that the
webadmin.ntf ReplicaID is the same on every system running Domino meaning
that once an attacker has the ReplicaID then they will be able to access
the Web Administrator running on an!

Fix information:
The best course of action is to remove the Web Administrator template from
the system. You should also consider removing the real Web Administrator,
webadmin.nsf as if someone were to gain a valid user ID and password for
Domino then they will be able to perform undesirable actions against the
system.

Lotus were informed about this issue and, in their next release of Domino,
version 5.0.9, will ensure that the permissions set on the webadmin.ntf
file are such that anonymous access is prevented.

For those worried about attempts to access the Web Administrator template
file and wish to monitor potential attacks, you can get the ReplicaID of
webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the Control, Shift
and H keys down whilst you open the catalog. This key sequence causes the
Notes client to show hidden views as well as visible. One of the hidden
views, $ReplicaID contains the ReplicaID of every database and template on
the system.

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.