Lotus Domino Web Administrator Template ReplicaID Access
October 29th, 2001NGSSoftware Insight Security Research Advisory
Name: Lotus Domino Web Administrator Template ReplicaID Access
Systems Affected: Lotus Domino 5.x on all operating systems
Severity: High Risk
Vendor URL: http://www.lotus.com/
Author: David Litchfield (david@nextgenss.com)
Date: 29th October 2001
Advisory number: #NISR29102001A
Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web
services that allow users to interact with Lotus Notes databases.
NISR have discovered a feature of Domino’s web server that allows an
anonymous user to access the Web Administrator template file
(webadmin.ntf) and use some of its functionality. Normally webadmin.ntf
should not be accessible and as such this poses a high security
threat to systems running Lotus Domino.
Details
*******
Lotus Notes Databases can have one of several file extensions such
as .nsf, .ns4 or .box and when the Domino web server receives a client
request it examines the request to decide if it is for a Notes database
file. If it is Domino for looks for the file in the \lotus\domino\data
directory; if it is not Domino looks in another directory:
\lotus\domino\data\domino\html. Some Notes databases are derived from
template files that have a .ntf file extension. These template files
exist in the same directory as their .nsf children; However, making
a request for a template file causes Domino to search in the latter
directory, but as they exist in the former, the web server fails to
find the file and returns a File Not Found (404) reply.
Another way to make a request for a database resource is to use
the database’s ReplicaID. A ReplicaID is a 16 digit hexadecimal number
that is use to track concurrent copies of the same database over
different systems. It is therefore possible for a user to access
a Notes database template file by making a request to the web server
using the template’s ReplicaID. Of all the templates only the Web
Administrator template file seems to be dangerous. Anonymous users can
read any text based file on the system that Domino has the permission to
access as well as enumerate all databases on the system. If the Domino
web service process is running as root or SYSTEM then an attacker would not
be limited to the files they could access. This problem is further
exacerbated by the fact that the webadmin.ntf ReplicaID is the same
on every system running Domino meaning that once an attacker has the
ReplicaID then they will be able to access the Web Administrator running
on any Domino system.
Fix Information
***************
The best course of action is to remove the Web Administrator template
from the system. You should also consider removing the real Web Administrator,
webadmin.nsf as if someone were to gain a vaild user ID and password for
Domino then they will be able to perform undesirable actions against the
system.
Lotus were informed about this issue and, in their next release of Domino,
version 5.0.9, will ensure that the permissions set on the webadmin.ntf file
are such that anonymous access is prevented.
For those worried about attempts to access the Web Administrator template
file and wish to monitor potential attacks, you can get the ReplicaID
of webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the Control,
Shift and H keys down whilst you open the catalog. This key sequence causes
the Notes client to show hidden views as well as visible. One of the hidden
views, $ReplicaID contains the ReplicaID of every database and template
on the system.
A check for this problem already exists in DominoScan, NGSSoftware’s
Lotus Domino application security scanner, of which, more information
is available from http://www.nextgenss.com/dominoscan.html . NISR
have also written a white paper on how to secure Lotus Domino’s web
server available from http://www.nextgenss.com/papers.html
