Head in a blender

Wednesday’s Hole is Full of Woe - discovering chinks in the armor

Andy Pedisich  March 11 2009 08:49:01 AM
So, there I am with a downloaded ID that I acquired using a training account's default password to get in over the web and a default password on a Lotus Notes ID file embedded into a person document.  

But what to do with it?  It probably has no significant rights.  Here's a another security hole I used that you can fix today.

The ACL for Anonymous on the CATALOG.NSF is set to No Access.  The -Default- ACL for Notes fat client is Author, meaning I now had rights to take a look at the contents of the collection of all databases on the server.  My favorite view in the catalog... Access Control Lists - by Name.

Image:Wednesday’s Hole is Full of Woe - discovering chinks in the armor

This view gives you a listing of all the databases that have crazy ACL configurations where -Default- is set to Manager, Designer, or Editor.  What's that you say?  Some databases aren't listed in the Catalog because we un-check the box that says "List in Database Catalog" in the database properties?

Image:Wednesday’s Hole is Full of Woe - discovering chinks in the armor 

True.  The database won't list, but that doesn't mean it isn't in the catalog, it just means it isn't listed in the catalog.  If I make a local copy of the catalog with my own name on the ACL and hit it with the Designer client I can make a copy of Access Control Lists - By Name I can change the selection formula for the view, removing the !(DBListInCatalog = "0". That turns it from this...

SELECT @IsAvailable(ReplicaID)& @IsUnavailable(RepositoryType)& !(DBListInCatalog = "0")

To this...

SELECT @IsAvailable(ReplicaID)& @IsUnavailable(RepositoryType)

Note that I remove the &!(DBListInCatalog = "0") which prevents viewing databases marked not to list in the catalog.  Now I have a view that includes all databases.

Image:Wednesday’s Hole is Full of Woe - discovering chinks in the armor

By the way, this security hole isn't about the catalog.  It's about administrators who don't review the catalog to ensure -Default- is set correctly.  The catalog is a great treasury of all sorts of information about applications on your Domino server.

In this particular case, the rights to create both restricted and unrestricted agents in server documents was set to a generous asterisk ("*"), meaning anyone could create them.  That's today's bonus security hole.  I still could have created some havoc just using the rights I discovered were mine by default. Since I did have designer rights, I created a couple of agents to do some crazy stuff, and then contacted the client with the bad news.

It's important to note that I could have easily been stopped by any number of additional settings that I am sure (*cough*) you already have set properly in your domain.  These are things like:
  1. Periodic review of all databases and templates in the catalog to ensure that no wild defaults exist.
  2. Password checking
  3. Password expiration
  4. Specific Control of who can and cannot create unrestricted agents
  5. Better default passwords during registration
  6. Periodic discovery and removal of IDs from the address book, especially if you have users that are exclusively iNotes/DWA users

There are probably some more of these stoppers too.

Got a tip or a question?  Visit the LotusUserGroup 40 Security Holes forum I'm moderating this week only.  And join us at The View's Admin/Dev 2009.  It's always a quality conference with lots of access to street-wise Administrators and Developers.

- Andy

Comments

1Dan Soares  3/11/2009 2:12:42 PM  Wednesday’s Hole is Full of Woe - discovering chinks in the armor

Enjoying your tips Andy and verifying that my db's are secure too :-)

I did have Anonymous set to No Access for catalog and the Default ACL was set to Author.

Is that what's recommended for Default (Best practice)?

Dan

2Dan Soares  3/11/2009 2:19:37 PM  Wednesday’s Hole is Full of Woe - discovering chinks in the armor

never mind.. answered my own question..

According to this entry, it should be set to Reader:

{ http://www-01.ibm.com/support/docview.wss?uid=swg21084811 }

Dan

3Andy Pedisich  3/11/2009 8:30:24 PM  Wednesday’s Hole is Full of Woe - discovering chinks in the armor

The template CATALOG.NTF is clearly set for -Default- to be Author for any database created from the template, regardless of what the best practices might say it should be.

And keep in mind that this is not a critique of the catalog itself, which I believe is enormously useful. Rather it points to the fact that many administrators don't take advantage of this information to make their domains as secure as they could be.

Thanks for the comment, though. Glad to see you have found that you are keeping your enterprise secure.

- Andy

4Victor Toal  3/12/2009 9:21:12 AM  Wednesday’s Hole is Full of Woe - discovering chinks in the armor

Andy - this is a good one! Really shows what unintended consequences sloppy administration practices can have.

I have to admit I am now not sure what ACL settings I ever set on catalogs (let's check that later) but IDs on person docs I always check for and eliminate.

This is a good one I will use/plagiarize when I talk to with clients who resist security changes that I suggest ... thanks for sharing!!

"Test"