Notes default ECL allows execution of unsigned code

Overview

Lotus Notes prior to version 5.02, had permissive ECLs that allow for the execution of malicious mail messages.

Description

A Notes ECL is a list consisting of a Notes Username and a set of permissions from the following list (for Notes 4.6.x):

* Access to file system
* Access to current database
* Access to Non-notes databases
* Access to external code
* Access to external programs
* Ability to send mail
* Ability to read other databases
* Ability to modify other databases
* Ability to export data
* Access to Workstation Security ECL

For example, an ECL might “look like” the following:

{Shawn Hernan : Access to file system, Ability to Send Mail}
{Cory Cohen : Access to file system, Ability to export data}

ECLs are used to control the level of access that Notes Forms, LotusScripts, and Notes Agents have to the local workstation. In the example above, programs (i.e. forms, scripts or agents) written by Shawn would have access to the file system, and the ability to send mail. Programs written by Cory would not be able to send mail, but they could access data. (Notes will prompt the user for instructions when a program violates the ECL).

Authorship is determined by cryptographically strong signatures on the programmatic objects.

It is possible to attach a program to a Notes Form; the program will be triggered when certain events occur. For example, you could attach a program to a Notes form that displays a welcome message immediately after the form is opened (the so-called “PostOpen” event).

Further, it is possible to mail forms, including the attached program(s), from one user to another, or to a database. The abilities and permissions of the programs attached to the form depends on the ECL for the user opening the form.

Finally, the default ECLs for Notes are very permissive. In fact, the defaults allow any program, regardless of authorship, all 11 permissions. This level of access can be leveraged to run arbitrary code with the privileges of the user.

Combining all these attributes, and assuming the default configuration for ECLs, we believe it is possible for an intruder to mail a malicious program to a Notes user in such a way that the program will be executed when the user opens the mail. In such a scenario, the user would not have to click on any attachments, nor would they be presented with a dialog that would give them a chance to prevent the code from running.

Although this behavior is well documented, it is likely that many installations have accepted the default, permissive, configuration. In the wake of the Melissa and ExploreZip viruses, it is easy to imagine a similarly destructive virus being launched against Notes users.

Additionally, because Notes mail supports strong encryption, it may be difficult or impossible to apply a general purpose central filtering system to ‘screen out’ malicious Notes programs.

---

Impact

Attackers can cause victims to execute arbitrary code simply by sending them a mail message. The message need only be opened by an appropriate victim.

---

Solution

---

The following procedure has to be followed for each certifier [or identifier] used on each Notes desktop. This procedure must be repeated per user.id file per desktop.

Start Notes and for each .id file available, do the following

* Select File -> Tools -> Switch ID 
* Select an .id file 
* Click the Open button, a dialog will prompt for the passphrase for this identifier 
* Select File -> Tools -> User Preferences 
* Click the "Security Options" button, and the "Workstation Security: ECL" dialog appears 
* Choose -Default- 
* Uncheck all of the checkboxes to the right 
* Choose -No Signature- 
* Uncheck all of the checkboxes to the right 
* Click the "Add" button, and the "Add User" dialog appears 
* Click the little blue man button, and the "Names" dialog appears 
* Select the appropriate address book 
* Select any developers who write code used on your systems, and click the Add button 
* Click Ok button to dismiss "Names" dialog 
* For each authorized developer that you added, set the ECL appropriately. 
* Click the Ok button to dismiss the "Workstation Security: ECL" dialog 

Note that even if you do not use Notes for electronic mail, the same situation applies to any database that can receive mail. It may be possible to automate this procedure via LotusScript.

Vendor Information

5962

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Lotus __ Affected

Updated: September 26, 2000

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The default settings have been fixed starting in Notes 5.0.2. See http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%235962 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• http://www.notes.net/R5FixList.nsf/Search!SearchView&Query=CBAT45TU9S
• http://listserv.okstate.edu/CGI/WA.EXE?A2=ind9708&L=domino-l&P=R5936
• <http://www.securityfocus.com/bid/2358&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0891&gt;
• <http://www.notes.net/today.nsf/f01245ebfc115aaf8525661a006b86b9/3a9da544637a69b2852568310078b649?OpenDocument&gt;

Acknowledgements

Our thanks to a contributor wishing to remain anonymous and Kevin O’Brien of Neon Systems Inc for their contributions to this document.

This document was written by Shawn V Hernan.

Other Information

CVE IDs:	CVE-2000-0891
Severity Metric:	54.72 Date Public: