Lotus Notes Password Hash

[Deeboe]

Hello,

I had an interesting discussion today I would like to share to see if anyone has seen this before.

It seems in "names.nsf" file on a Notes server, the password hashes of the users listed can be seen. This can be done in numerous ways:

- By looking at the names.nsf in a browser window
- By looking at the source of names.nsf in an editor
- By looking up the address book itself and creating a view with the HTTPPassword field
- By exporting idvidual users in Notes and viewing this in text form

This is disturbing to me in more ways than one. I do not know if this hash is "crackable", and frankly am a little scared to find out.

Has anyone seen this before? What have you done? What CAN be done?

Thanks,
-Deeboe

[rapier57]

Dang! I didn't know anyone still used Lotus Notes. Your issue may depend on the version of Notes running on your systems. At one point there were problems with the user and password security in Notes, as well as the ability to pass confidential documents to the entire world (that used Notes anyway).

Lotus Notes is currently at version 7, according to the IBM web site. Do you know the version you are working with?

[Deeboe]

I am running 6.5.x on my machine right now.

-Deeboe

[genXer]

Dang! I didn't know anyone still used Lotus Notes. Your issue may depend on the version of Notes running on your systems. At one point there were problems with the user and password security in Notes, as well as the ability to pass confidential documents to the entire world (that used Notes anyway).

rapier57 - Ok - I'll bite - what do you use? No - really, we use Notes here as well and we're kind of a large company, so I would like to know what else is out there that ppl can use over Notes that works better. If it's better than Notes, I would like to know so I can ask our Notes group if they have looked at that/those product(s).

Deeboe - Ok - does the team/group/oompah-loompahs - heh that support Notes know about this possible exploit you came across? What about IBM?

[phishphreek]

I found several places detailing this:
But... this one seems nice.

http://www.venera.com/downloads/Lotu...isclosures.pdf

Also, this may be of some interest to you.

http://www.securityfocus.com/bid/14389/info

Also this...

http://www.securityfocus.com/bid/14388/info

If they are the same thing.... then

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

Search the securityfocus vulnerability database for more info on notes vulerabiliites.

According to those vuln descriptions... it should be pretty easy to get the hash and then brute force it....

[Deeboe]

I think they broke down into tears and rolled into a ball.

Actually, they were a little freaked out (understandable) and were not sure how to handle it. I haven't heard an update yet.

-Deeboe

[rapier57]

OK, looks like it is a known issue. I didn't find anything on the IBM site, and the SecurityFocus notes indicate that it is not version specific. The exposure seems to be only available if the user has a valid Notes account. So, we don't need to worry about internal threats, right?

GenXer: No, I don't have anything to share on that. Hell, I still use Borland SideKick. Sorry, I shoulda put a <sarcasm on> flag on that comment.

[Deeboe]

OK, however I wonder how that works with an Internet browser... You shouldn't need a Notes ID to view the browser... do you?

If you browse to the Names.nsf file on the web, you can see them there as well. Now, a good compnay will keep those on the Intranet, but that doen't mean SQUAT when you think about it.

Thoughts?

-Deeboe

[nihil]

Sorry mate,

It took me a while to have a "thunk" and find what I was looking for..................I am afraid I haven't used Notes for a while: here is your answer such as there is one:

http://www.securiteam.com/securitynews/5FP0E15GLQ.html

Hope that helps

Also, longer passwords and stronger passwords and change them regularly. "Out of the box" it is rather vulnerable to dictionary attacks.

The lack of a "salt" also means that any given password always gets the same hash (I seem to recall it is some sort of Lotus bastardisation of RC4, but I could be wrong) so you are vulnerable to "rainbow tables" as precomputation is easy.

Hope that helps

[rapier57]

That depends, DeeBoe. If you are browsing to the file from the network (authenticated in the domain) you probably can see it. If you are browsing to the file from an unauthenticated system, outside the network, you should not be able to see it. If you can, that may be why your Notes admins are having spasms on the floor.