NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Administrator Template ReplicaID Access Systems Affected: Lotus Domino 5.x on all operating systems Severity: High Risk Vendor URL: http://www.lotus.com/ Author: David Litchfield (david@nextgenss.com) Date: 29th October 2001 Advisory number: #NISR29102001A Description *********** Lotus Domino is an Application server designed to aid workgroups and collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web services that allow users to interact with Lotus Notes databases. NISR have discovered a feature of Domino's web server that allows an anonymous user to access the Web Administrator template file (webadmin.ntf) and use some of its functionality. Normally webadmin.ntf should not be accessible and as such this poses a high security threat to systems running Lotus Domino. Details ******* Lotus Notes Databases can have one of several file extensions such as .nsf, .ns4 or .box and when the Domino web server receives a client request it examines the request to decide if it is for a Notes database file. If it is Domino for looks for the file in the \lotus\domino\data directory; if it is not Domino looks in another directory: \lotus\domino\data\domino\html. Some Notes databases are derived from template files that have a .ntf file extension. These template files exist in the same directory as their .nsf children; However, making a request for a template file causes Domino to search in the latter directory, but as they exist in the former, the web server fails to find the file and returns a File Not Found (404) reply. Another way to make a request for a database resource is to use the database's ReplicaID. A ReplicaID is a 16 digit hexadecimal number that is use to track concurrent copies of the same database over different systems. It is therefore possible for a user to access a Notes database template file by making a request to the web server using the template's ReplicaID. Of all the templates only the Web Administrator template file seems to be dangerous. Anonymous users can read any text based file on the system that Domino has the permission to access as well as enumerate all databases on the system. If the Domino web service process is running as root or SYSTEM then an attacker would not be limited to the files they could access. This problem is further exacerbated by the fact that the webadmin.ntf ReplicaID is the same on every system running Domino meaning that once an attacker has the ReplicaID then they will be able to access the Web Administrator running on any Domino system. Fix Information *************** The best course of action is to remove the Web Administrator template from the system. You should also consider removing the real Web Administrator, webadmin.nsf as if someone were to gain a vaild user ID and password for Domino then they will be able to perform undesirable actions against the system. Lotus were informed about this issue and, in their next release of Domino, version 5.0.9, will ensure that the permissions set on the webadmin.ntf file are such that anonymous access is prevented. For those worried about attempts to access the Web Administrator template file and wish to monitor potential attacks, you can get the ReplicaID of webadmin.ntf from the Domino Catalog, catalog.nsf. Hold the Control, Shift and H keys down whilst you open the catalog. This key sequence causes the Notes client to show hidden views as well as visible. One of the hidden views, $ReplicaID contains the ReplicaID of every database and template on the system. A check for this problem already exists in DominoScan, NGSSoftware's Lotus Domino application security scanner, of which, more information is available from http://www.nextgenss.com/dominoscan.html . NISR have also written a white paper on how to secure Lotus Domino's web server available from http://www.nextgenss.com/papers.html -----------------------------------------------------
