Java vulnerability in Notes and Domino

by Volker Weber

Mikkel Heisterberg has found an interesting vulnerability in the Notes Java API. He depends on replacing Notes.jar on the server (or the client), and then he can make unrestricted calls even when he is only allowed restricted ones. Replacing a locked file is a pretty steep prerequisite, but once it is done, nobody knows you are a dog, err, nobody sees what you are doing. What can IBM do? Sign the Notes.jar and make sure it's got the right one. On the Mac you are safe, because it does not even run Java agents ...

Comments

... and the safest system does not let any users log in and cannot do any other operation then no-ops ;-)


But back to the the thread:

In the Notes client: Lacking some kind of creativity or fantasy I cannot think of anything a "hacker" can do this way, he cannot do otherwise, but: An administrator could modify the notes.jar after installing the Notes client and before the computer is delivered to another user. If the user runs any Java agents (for examples in some business Notes application), a modified Session or Agent class could have some "side effects" doing something IN THE SECURITY CONTEXT and IN THE NAME of the current user.

On the Domino server: Again, I think there is nothing, a user with write access to the notes.jar cannot do, but the modified notes.jar can. And again but: To get a copy of each mail or of each saved document, the bad guy could write an extension manager or server task in C/C++. But modifying the notes.jar is easier for most people (with Java as a kind of common knowledge in the IT industry) and nearly invisible (no traitorous notes.ini entries and such).

Thomas Bahn, 2006-12-08

Many, many hacks are possible when you have physical (write) access to the server disk. Of course, this one is made a lot easier by the fact that Java is so easily de-compiled.

But (IMHO) this is not a serious threat

Bob Balaban, 2006-12-08

Gotta agree with Bob. I admire Mikkel's work (past and present), but server security begins with physical and filesystem security. When those are breached by a smart and determined attacker, all bets are off. The suggested solution of digitally signing the notes.jar file would be an effective deterrent only until someone figured out how to reverse engineer the DLL code that validates the signature.

Richard Schwartz, 2006-12-08

For those who might not see the link on Mikkel's site, IBM published a technote on this.

Ed Brill, 2006-12-08

I have to agree with Thoams and Bob. Any server is at most as secure as the door to the server room. With physical access to the machine or the file system, you can pretty much anything. And with a defense-in-depth concept you should fairly well be able to protect this from happening. So, from a risk assessment perspective I'd say: impact of the attack is high, but the likelihood (assuming standard server protection mechanisms) should be low at most... which results in a medium to low security risk assessment.

Just my two cents,

Ragnar

Ragnar Schierholz, 2006-12-08

Personally, I would like the the Notes client on Mac vulnerable, as this would imply Java would work.

@Ed: Can you shed some light on progress of Java support on mac? (we talk to HL7 in Java, without it we cannot sell our software on Mac clients)

Cheers,

Lars

Lars Berntrop-Bos, 2006-12-08

The tech note says it all: "[...] tampering with the notes.jar requires that an attacker compromise the overall security of the server /workstation [...]."

This is like replacing iexplorer.exe with a virus and claiming a security hole in Windows. This is not a vulnerability.

Timo Stamm, 2006-12-08

@Timo: I have to disagree: It's a question of complexity and costs. Creating a new iexplorer.exe, which does work as the original one and additionally some "extra" stuff, is way more complex than to modifiy the notes.jar (as described by Mikkel).

Thomas Bahn, 2006-12-08

@Thomas: Sure. Just let me have 30 seconds at your box :-)

Timo Stamm, 2006-12-08

@Thomas, not really. With VB you can embed the activex IE control so the person thinks they're in IE and you just name your VB app IExplorer.com

It depends on your skills. If you're a VB programmer you'd probably have trouble hacking the Jar file and they'd argue the other way around.

Carl Tyler, 2006-12-08

Recent comments

Jens Wagner on Surface Pro X :: Das Gerät macht mir große Freude at 16:52
Hubert Stettner on Office 365 im Tagesangebot at 16:26
Volker Weber on Surface Pro X :: Das Gerät macht mir große Freude at 15:35
Jens Wagner on Surface Pro X :: Das Gerät macht mir große Freude at 15:26
Christoph Spitz on Office 365 im Tagesangebot at 13:38
Yves Menge on Office 365 im Tagesangebot at 12:44
Volker Weber on Marshall Monitor II A.N.C. :: Erste Eindrücke at 08:13
Maikel Maes on Marshall Monitor II A.N.C. :: Erste Eindrücke at 07:58
Jochen Kattoll on The Neighbor’s Window :: Oscar Winning Short Film at 22:21
Harald Gärttner on Microsoft Office app on Android and iOS at 15:09
Volker Weber on App-Store-Interna: Apple geht gegen Buchveröffentlichung vor at 14:55
Oliver Stör on App-Store-Interna: Apple geht gegen Buchveröffentlichung vor at 13:42
Volker Weber on Microsoft Office app on Android and iOS at 13:02
Harald Gärttner on Microsoft Office app on Android and iOS at 12:56
Volker Weber on Marshall Monitor II A.N.C. :: Erste Eindrücke at 08:07
Thomas Cloer on Marshall Monitor II A.N.C. :: Erste Eindrücke at 07:57
Matthias Lorz on The Neighbor’s Window :: Oscar Winning Short Film at 12:47
Volker Weber on The Neighbor’s Window :: Oscar Winning Short Film at 11:54
Fabio Peruzzi on The Neighbor’s Window :: Oscar Winning Short Film at 11:48
Fabio Peruzzi on The Neighbor’s Window :: Oscar Winning Short Film at 11:45
Horia Stanescu on The Neighbor’s Window :: Oscar Winning Short Film at 07:04
Martin Funk on The Neighbor’s Window :: Oscar Winning Short Film at 00:00
Sven Bühler on I am not ready for a foldable phone at 22:03
Andreas Imnitzer on The Neighbor’s Window :: Oscar Winning Short Film at 21:48
Roland Dressler on I am not ready for a foldable phone at 15:02

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 19:27

visitors.gif

Paypal vowe