Java vulnerability in Notes and Domino
by Volker Weber
Mikkel Heisterberg has found an interesting vulnerability in the Notes Java API. He depends on replacing Notes.jar on the server (or the client), and then he can make unrestricted calls even when he is only allowed restricted ones. Replacing a locked file is a pretty steep prerequisite, but once it is done, nobody knows you are a dog, err, nobody sees what you are doing. What can IBM do? Sign the Notes.jar and make sure it's got the right one. On the Mac you are safe, because it does not even run Java agents ...
Comments
... and the safest system does not let any users log in and cannot do any other operation then no-ops ;-)
But back to the the thread:
In the Notes client: Lacking some kind of creativity or fantasy I cannot think of anything a "hacker" can do this way, he cannot do otherwise, but: An administrator could modify the notes.jar after installing the Notes client and before the computer is delivered to another user. If the user runs any Java agents (for examples in some business Notes application), a modified Session or Agent class could have some "side effects" doing something IN THE SECURITY CONTEXT and IN THE NAME of the current user.
On the Domino server: Again, I think there is nothing, a user with write access to the notes.jar cannot do, but the modified notes.jar can. And again but: To get a copy of each mail or of each saved document, the bad guy could write an extension manager or server task in C/C++. But modifying the notes.jar is easier for most people (with Java as a kind of common knowledge in the IT industry) and nearly invisible (no traitorous notes.ini entries and such).
Many, many hacks are possible when you have physical (write) access to the server disk. Of course, this one is made a lot easier by the fact that Java is so easily de-compiled.
But (IMHO) this is not a serious threat
Gotta agree with Bob. I admire Mikkel's work (past and present), but server security begins with physical and filesystem security. When those are breached by a smart and determined attacker, all bets are off. The suggested solution of digitally signing the notes.jar file would be an effective deterrent only until someone figured out how to reverse engineer the DLL code that validates the signature.
For those who might not see the link on Mikkel's site, IBM published a technote on this.
I have to agree with Thoams and Bob. Any server is at most as secure as the door to the server room. With physical access to the machine or the file system, you can pretty much anything. And with a defense-in-depth concept you should fairly well be able to protect this from happening. So, from a risk assessment perspective I'd say: impact of the attack is high, but the likelihood (assuming standard server protection mechanisms) should be low at most... which results in a medium to low security risk assessment.
Just my two cents,
Ragnar
Personally, I would like the the Notes client on Mac vulnerable, as this would imply Java would work.
@Ed: Can you shed some light on progress of Java support on mac? (we talk to HL7 in Java, without it we cannot sell our software on Mac clients)
Cheers,
Lars
The tech note says it all: "[...] tampering with the notes.jar requires that an attacker compromise the overall security of the server /workstation [...]."
This is like replacing iexplorer.exe with a virus and claiming a security hole in Windows. This is not a vulnerability.
@Timo: I have to disagree: It's a question of complexity and costs. Creating a new iexplorer.exe, which does work as the original one and additionally some "extra" stuff, is way more complex than to modifiy the notes.jar (as described by Mikkel).
@Thomas: Sure. Just let me have 30 seconds at your box :-)
@Thomas, not really. With VB you can embed the activex IE control so the person thinks they're in IE and you just name your VB app IExplorer.com
It depends on your skills. If you're a VB programmer you'd probably have trouble hacking the Jar file and they'd argue the other way around.
