|
|
|
|
| |
The Lotus Notes Client R5 can use its own Web browser to access the WWW. The browser embeds a unique Java Virtual Machine and this VM is used for the Java applet display. This Java VM embeds a feature called "ECL (Execution Control List)," which is unique to Lotus.
By exploiting a security hole in this ECL feature, a third party can detect whether or not a file of a specified pathname exists in the local file system. |
| |
Credit:
The information has been provided by Mr. Yasuyuki Endo, Hiromitsu Takagi and Mr. Ryuichiro Isobe.
|
| |
Impact:
By knowing whether a certain file exists on the local drive, third parties can discover the following private information:
- Whether or not a specified site was visited (by checking for the presence of a certain cookie).
- Whether or not a specified Web page is registered in the "Favorites." (This can be discriminated by finding out whether or not a short-cut file with the title of this page as its file name exists in \WINDOWS\Favorites\)
- Whether or not a specified file has been used recently. (This can be discriminated by finding out whether or not a short-cut file with the same name as its file name exists in the \WINDOWS\Recent\ folder).
- Whether or not a specified application is installed.
Exploit:
A demonstration applet has been created to verify the existence of this hole.
http://java-house.etl.go.jp/~takagi/java/security/lotus-notes-existence-attack/Test.html
This demonstration checks for the presence of the following files:
\AUTOEXEC.BAT
\Program Files\Internet Explorer\IEXPLORE.EXE
\Program Files\Microsoft Office\Office\WINWORD.EXE
\Program Files\Microsoft Office\Office\POWERPNT.EXE
\Program Files\Adobe\Photoshop 5.5\Photoshp.exe
\Program Files\Netscape\Communicator\Program\netscape.exe
...\Cookies\administrator@playboy.txt
...\Cookies\administrator@playboy[1].txt
...\Cookies\administrator@playboy[2].txt
...\Cookies\anyuser@playboy.txt
...\Cookies\anyuser@playboy[1].txt
...\Cookies\anyuser@playboy[2].txt
Pressing the Search button, inspection starts with the file names provided and a warning dialog "Execution Security Alert" appears in case a file to be inspected exists in the local disk. (See Fig. 1.) Pressing "Abort" or "Execute Once" button will let the Java program know the existence of this file and the file name is displayed in a "List of files confirmed to be existing" in a text area under. (See Fig. 2.)
Reasons for Defect:
The standard Java security model up to JDK 1.1 prohibits all accesses to local files and has lacked flexibility. The ECL feature of Lotus provides a flexibility to meet this situation. This feature expands Java's security model and does not prohibits all. It allows the user to select execution or cancellation by popping up a dialog to confirm execution when hazardous operation is about to be executed.
When the getSystemResource(String) method of the java.lang.ClassLoader class is called, a dialog to confirm it appears only when a file of the pathname specified by this argument exists.
The getSystemResoruce method returns "null" regardless of whether "Abort" or "Execute" is selected and execution is continued as if nothing has happened. However, the time required to execute this method is clearly longer than that when a dialog is not popped up. This is because more than several hundred milliseconds are required for a man to finish pressing a button. Therefore, by examining the time difference before executing this method and after executing it, showing of this dialog can be detected. As a result, a malicious applet program can know that a file exists.
Sun's manual for JDK clearly describes that such circumstances must not be caused by behaviors of getSystemResource. http://java.sun.com/products/jdk/1.2/docs/guide/resources/resources.html:
If security considerations do not allow a resource to be visible in some security context, the getResource() method will fail (will return null) as if the resource was not present at all, this addresses existence attacks.
The ECL feature of Lotus Notes did not follow these guidelines, which led this hole to be created.
|
|
|
|
|
|
|
|
|
|
