|
|
|
|
| |
| "IBM Lotus Notes continues to set the standard for innovation in the messaging and collaboration market Lotus defined over a decade ago. As an integrated collaborative environment, the Lotus Notes client and the IBM Lotus Domino server combine enterprise-class messaging and calendaring & scheduling capabilities with a robust platform for collaborative applications". Secunia Research has discovered a security issue in Lotus Notes, which can be exploited by malicious, local users to manipulate arbitrary files. |
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2005-29/
|
| |
Vulnerable Systems:
* IBM Lotus Notes version 6.5.4
* IBM Lotus Notes version 6.5.5
* IBM Lotus Notes version 7.0.0
* IBM Lotus Notes version 7.0.1
Immune Systems:
* IBM Lotus Notes version 7.0.2
The problem is that Lotus Notes sets insecure default permissions (grants "Everyone" group "Full Control") on the "notes" directory and all child objects. This can be exploited to remove, manipulate, and replace any of the application's files.
Solution:
IBM provides the following solution:
Prior to Notes 6.5.4, when installing the Notes client on Windows, the permissions for the Notes program and data directories were set based on permissions inherited from the Program Files setting. With Microsoft Windows NT , Windows 2000, or a system that was upgraded from Windows NT/2000 to Windows XP, regular users had write access to Program Files. This is important because Notes needs the user to have write access to portions of the data directory and to the notes.ini file in the program directory.
Beginning with new installations of Windows XP, or with Windows XP Service Pack 2 (SP2), however, regular users no longer have write access to Program Files. This caused problems at customer sites where the administrator performed the client installation with administrator rights, but when running Notes as a regular user, the end user no longer had write access to the files required by Notes (notes.ini and selected data files) on these systems.
As an interim solution based on customer feedback, we changed the install in Notes 6.5.4 and began setting the permissions for All Users to have read/execute/write permissions on the Notes program and data directories. This was done by adding entries to the LockPermissions table in the installer. In the meantime, work had also begun on the Smart Upgrade Run As Admin feature which shipped with Notes 7.0.2 and which can be also used to upgrade Notes 6.x clients.
Administrators with access to change directory settings can assign specific users or groups the ability to write to the Notes program and data directories instead of inheriting from Windows Program Files settings or instead of allowing write access to All Users/Everyone.
In 7.0.2, the Notes client install reverts back to the pre-6.5.4 and 7.0 behavior. This change will also apply to Notes 6.5.6. In other words, the permissions set on the Notes program and data files are set based on the Program Files settings.
Another option for customers is to install Notes as multi-user, even if only one user will be using that computer. In this case, the Notes program files are stored under Program Files with permissions set as described above. Notes shared data files (templates, help) are stored under c:\Documents and Settings for All Users (with permissions set to read/execute for all users). Notes user-specific data files (notes.ini, databases) are stored under c:\Documents and Settings for the specified user(s) (read/execute/write for specified user).
Time Table:
22/07/2005 - Vendor notified
22/07/2005 - Vendor response
18/10/2006 - Public disclosure
|
|
|
|
|
|
|
|
|
|
