what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

heise-lotus.txt

heise-lotus.txt
Posted Jul 20, 2007
Authored by Juergen Schmidt | Site heise-security.co.uk

A debug function in versions 5 and above of Lotus Notes can be used to write a file containing the new password in plain text when a user password is changed.

tags | advisory
SHA-256 | e4f7baa867a47b1fb9704bf578e98b22936cfc57d721050e9c5f5248bf1c9cdd
Download | Favorite | View

heise-lotus.txt

Change Mirror Download

Excerpt from: http://www.heise-security.co.uk/news/92958

------
Password exposure in Lotus Notes

A debug function in version 5 and up of Lotus Notes can be used to write a 
file containing the new password in plain text when a user password is 
changed. This function has been designed to bring more transparency into 
password quality verification. If two additional lines are entered in the 
Notes.INI configuration file, Notes will log the evaluation.

Since the Notes.INI file on a user$B!G(Js hard disk must be manipulated, 
physical access to the system is required to exploit this flaw. But there 
are various possibilities within Notes to manipulate this file, which can, 
in turn, also be used to protect systems from this vulnerability.

Assessment:

Notes uses the password to protect the certificate storage Notes.ID used 
by every user for authentication. This file is encrypted or decrypted with 
the user password. Together with the Notes certificates, Notes.ID also 
stores the user's private key and X.509 certificates, where required. For 
this reason, it is of utmost importance to ensure that nobody can create a 
copy of the password and Notes.ID at the same time. If somebody gains 
concurrent access to both the log file and the Notes.ID, this person can 
authenticate himself to Notes at any time.

Even though administrators can eliminate exploitation of this debug 
function in most cases, a Notes administrator with appropriate privileges 
is able to discover all user passwords. Some Notes customers have 
implemented complex solutions to allow for the central storage of password 
changes, while resetting passwords is only possible based on the four-eye 
principle, i.e. administration and revision must work together to do so. 
The debug function makes it possible to bypass this security policy.
(Volker Weber)
------


For a more detailed analysis, please see the original article on: 
http://www.heise-security.co.uk/news/92958



bye, ju


-- 
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close