[UNIX] Lotus Notes Domino Insecure Default Permissions

From: SecuriTeam (support_at_securiteam.com)
Date: 01/07/04

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in phpGedView" 
    To: list@securiteam.com
Date: 7 Jan 2004 15:18:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Lotus Notes Domino Insecure Default Permissions
    ------------------------------------------------------------------------

    SUMMARY

    During installation of Lotus Notes Domino under a Linux operating system,
    the installation program neglects to properly set the settings for Lotus
    Notes critical files (notes.ini and LPSilent.ini).

    DETAILS

    Vulnerable systems:
     * Lotus Notes Domino version 6.0.2 (Linux)

    During the installation process, it is recommended to add a new user
    (notes). After this, you should log in as root and install the services.
    The installation process neglects to properly set the permission settings
    of two sensitive files:
    /local/notesdata/notes.ini rw-rw-rw- notes notes
    /opt/lotus/LPSilent.ini rw-rw-rw- notes notes

    LPSilent.ini:
    This is file is used by the silent installation program. If modified, an
    attacker could cause the installation process to execute arbitrary
    commands/files, install backdoors, etc.

    notes.ini:
    Notes.ini, as the LPSilent.ini, is a very sensitive file that contains a
    lot of sensitive configuration information on the Lotus Notes server, and
    modifying it will affect the behavior of the server. For a list of
    keywords and a description of them (keywords that can be used inside the
    notes.ini file) see: <http://www.drcc.com/A55711/ref/notesini.nsf>
    http://www.drcc.com/A55711/ref/notesini.nsf.

    Examples:
    We could modify the CleanupScirptPath to a binary in our $HOME which could
     for example spawns a suid shell next time when its executed.

    We could change the NotesProgram=/opt/lotus/notes/60020/linux to some
    directory in our $HOME which includes links to the needed binaries to
    start the services in the ServerTask key.

    We could add a new ServerTask - lets say "Router". Notes will try to find
    a binary in our faked directory called "router" which could spawn a suid
    shell for us.

    You also note that the Lotus Notes services starts as the user "notes" (as
    recommended), which is able to view sensitive files or start and stop the
    services.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:l0om@excluded.org> Rene.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in phpGedView"

    Relevant Pages