Lotus Notes Client R5 File Existence Verification Vulnerability
BID:1994
Info
Lotus Notes Client R5 File Existence Verification Vulnerability
| Bugtraq ID: | 1994 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-1117 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 24 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Discovered by Yasuyuki Endo and Hiromitsu Takagi <[email protected]> and posted to Bugtraq on November 24, 2000. |
| Vulnerable: |
Lotus Notes Client R5 |
| Not Vulnerable: | |
Discussion
Lotus Notes Client R5 File Existence Verification Vulnerability
Lotus Notes Client R5 is a messaging and collaboration tool that contains a built in web browser. The web browser implements a Java Virtual Machine (VM) designed specifically for Lotus Notes. A security vulnerability exists in the Execution Control List (ECL) feature within the Java VM that may allow a third party intruder to verify the existence of files on the system. The ECL utilizes a much more lenient ruleset when accessing local files than the standard Java security model implemented by JDK 1.1 which prohibits any access to local files. The ECL will present the user with a dialogue box whenever he/she attempts to read an existing local file if the getSystemResource() method of the java.lang.ClassLoader class is used. At this point, the user can either authorize execution or abort the operation.
By observing the time elapsed during execution, it is possible to verify the existence of files on the target machine through a specially crafted java applet. If a malicious website operator were to host such a java applet on their site, they would be able to determine what files exist on the visitor's systems.
Lotus Notes Client R5 is a messaging and collaboration tool that contains a built in web browser. The web browser implements a Java Virtual Machine (VM) designed specifically for Lotus Notes. A security vulnerability exists in the Execution Control List (ECL) feature within the Java VM that may allow a third party intruder to verify the existence of files on the system. The ECL utilizes a much more lenient ruleset when accessing local files than the standard Java security model implemented by JDK 1.1 which prohibits any access to local files. The ECL will present the user with a dialogue box whenever he/she attempts to read an existing local file if the getSystemResource() method of the java.lang.ClassLoader class is used. At this point, the user can either authorize execution or abort the operation.
By observing the time elapsed during execution, it is possible to verify the existence of files on the target machine through a specially crafted java applet. If a malicious website operator were to host such a java applet on their site, they would be able to determine what files exist on the visitor's systems.
Exploit / POC
Lotus Notes Client R5 File Existence Verification Vulnerability
Hiromitsu Takagi <[email protected]> has set up the following demonstration page:
http://java-house.etl.go.jp/~takagi/java/security/lotus-notes-existence-attack/Test.html
Hiromitsu Takagi <[email protected]> has set up the following demonstration page:
http://java-house.etl.go.jp/~takagi/java/security/lotus-notes-existence-attack/Test.html
Solution / Fix
Lotus Notes Client R5 File Existence Verification Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Lotus Notes Client R5 File Existence Verification Vulnerability
References:
References:
- Lotus Notes Client R5 ECL Vulnerability Demonstration page (Hiromitsu Takagi)
- Lotus Notes R5 Client (IBM)