Hackers Demo Notes Sabotage

Fishing for Passwords

Goggans and his associates say they discovered a simple way to get a Notes client user password, which enables them to access that person's databases or e-mail. Attackers could also send mail as if they were the person whose account was compromised.

In a Notes mail system, the user names and e-mail addresses, as well as their ID files, are stored in a database called the Name and Address Book, which resides on a server. Too often, system administrators leave the Name and Address Book accessible to the outside world, so people can download the ID files, Goggans says.

"[Domino] is such a complicated product that most administrators can't understand how to manage access controls and application controls," says Goggans. "The security features are often misconfigured or ignored." Knowledgeable Notes administrators, however, say only an inexperienced administrator would permit a vulnerability of this type.

Lynch and Spanbauer say the charges of a password vulnerability are partly valid, but fixable. Administrators can run a tool built into Domino 4.6 and later versions to apply a more complicated algorithm that will better protect passwords, Spanbauer says.

Circumventing Protection?

A bigger flaw exists in Notes' Execution Control List, a part of the application that prevents most viruses and malicious scripts from running, Goggans says. The Trust Factory group examined public documents about how Notes works, and discovered what they call a simple method to communicate with Notes that bypasses the ECL and its safeguards. Lotus has placed a guard at the front door of its application, but Trust Factory's programmers were able to "come in around from the back way," he says.

Lotus says it added the ECL to Domino 4.1, and starting with Domino 5.02, the ECL is installed by default. Previously, it was up to an administrator to turn it on. Hackers might be able to circumvent the ECL, but the function has never protected against all potentially malicious scripts--notably, those that may arrive by Notes Mail but actually run on other applications, Spanbauer says.

"They may have expected ECL to protect against things it wasn't intended to," she says. "Notes can only protect within the Notes code."

Hackers Call Lotus Receptive

Although the Lotus representatives say their contact with Trust Factory has been limited, Goggans praised Lotus' attitude upon learning of the discoveries.

"They said let's get this thing out there and figure out a way to help our customers," Goggans says of the Lotus representatives. And that may be an interesting assortment, according to the hackers' conference speakers.

"The CIA uses Lotus Notes, so they're very worried," Goggans says.

Peggy Watt of PCWorld.com contributed to this report.