Vulnerability Note VU#5962

Notes default ECL allows execution of unsigned code

Original Release date: 26 Sep 2000 | Last revised: 25 Jun 2001

Overview

Lotus Notes prior to version 5.02, had permissive ECLs that allow for the execution of malicious mail messages.

Description

A Notes ECL is a list consisting of a Notes Username and a set of permissions from the following list (for Notes 4.6.x):

  • Access to file system
  • Access to current database
  • Access to Non-notes databases
  • Access to external code
  • Access to external programs
  • Ability to send mail
  • Ability to read other databases
  • Ability to modify other databases
  • Ability to export data
  • Access to Workstation Security ECL

    For example, an ECL might "look like" the following:

    {Shawn Hernan : Access to file system, Ability to Send Mail}
    {Cory Cohen : Access to file system, Ability to export data}

    ECLs are used to control the level of access that Notes Forms, LotusScripts, and Notes Agents have to the local workstation. In the example above, programs (i.e. forms, scripts or agents) written by Shawn would have access to the file system, and the ability to send mail. Programs written by Cory would not be able to send mail, but they could access data. (Notes will prompt the user for instructions when a program violates the ECL).

    Authorship is determined by cryptographically strong signatures on the programmatic objects.

    It is possible to attach a program to a Notes Form; the program will be triggered when certain events occur. For example, you could attach a program to a Notes form that displays a welcome message immediately after the form is opened (the so-called "PostOpen" event).

    Further, it is possible to mail forms, including the attached program(s), from one user to another, or to a database. The abilities and permissions of the programs attached to the form depends on the ECL for the user opening the form.

    Finally, the default ECLs for Notes are very permissive. In fact, the defaults allow any program, regardless of authorship, all 11 permissions. This level of access can be leveraged to run arbitrary code with the privileges of the user.

    Combining all these attributes, and assuming the default configuration for ECLs, we believe it is possible for an intruder to mail a malicious program to a Notes user in such a way that the program will be executed when the user opens the mail. In such a scenario, the user would not have to click on any attachments, nor would they be presented with a dialog that would give them a chance to prevent the code from running.

    Although this behavior is well documented, it is likely that many installations have accepted the default, permissive, configuration. In the wake of the Melissa and ExploreZip viruses, it is easy to imagine a similarly destructive virus being launched against Notes users.

    Additionally, because Notes mail supports strong encryption, it may be difficult or impossible to apply a general purpose central filtering system to 'screen out' malicious Notes programs.

  • Impact

    Attackers can cause victims to execute arbitrary code simply by sending them a mail message. The message need only be opened by an appropriate victim.

    Solution

    The following procedure has to be followed for each certifier [or identifier] used on each Notes desktop. This procedure must be repeated per user.id file per desktop.

    Start Notes and for each .id file available, do the following

  • Select File -> Tools -> Switch ID
  • Select an .id file
  • Click the Open button, a dialog will prompt for the passphrase for this identifier
  • Select File -> Tools -> User Preferences
  • Click the "Security Options" button, and the "Workstation Security: ECL" dialog appears
  • Choose -Default-
  • Uncheck all of the checkboxes to the right
  • Choose -No Signature-
  • Uncheck all of the checkboxes to the right
  • Click the "Add" button, and the "Add User" dialog appears
  • Click the little blue man button, and the "Names" dialog appears
  • Select the appropriate address book
  • Select any developers who write code used on your systems, and click the Add button
  • Click Ok button to dismiss "Names" dialog
  • For each authorized developer that you added, set the ECL appropriately.
  • Click the Ok button to dismiss the "Workstation Security: ECL" dialog

    Note that even if you do not use Notes for electronic mail, the same situation applies to any database that can receive mail. It may be possible to automate this procedure via LotusScript.

  • Systems Affected (Learn More)

    VendorStatusDate NotifiedDate Updated
    LotusAffected-26 Sep 2000
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A N/A

    References

    Credit

    Our thanks to a contributor wishing to remain anonymous and Kevin O'Brien of Neon Systems Inc for their contributions to this document.

    This document was written by Shawn V Hernan.

    Other Information

    • CVE IDs: CAN-2000-0891
    • Date Public: 15 Aug 97
    • Date First Published: 26 Sep 2000
    • Date Last Updated: 25 Jun 2001
    • Severity Metric: 54.72
    • Document Revision: 6

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.