Lotus Notes Java VM leaks file existence through timing difference in ECLs

Overview

Lotus Notes JVM leaks information about the existence of a file.

Description

A malicious Java applet run in the Lotus Notes web browser can determine if a local file exists. Notes’ preferences must be set to browse the web using the Notes browser, with execution of Java applets enabled.

When a Java applet tries to access local files, Lotus Notes presents a dialog box to the user asking whether access should be allowed. It only presents this dialog after checking if the local file exists; if it does not exist, the dialog is not shown. Thus, if the applet can determine whether the dialog was shown, it will know whether the file exists.

If the dialog is shown, it will take some time for the user to notice it and click a button to dismiss it. The applet can detect whether the dialog was shown by checking the times before and after trying to access the local file. If the dialog was not shown, the time difference will be very small, while if the dialog was shown, the time difference will be substantially longer. Based on the time difference, the applet can determine if the dialog was shown and therefore whether the local file exists.

---

Impact

By checking for the existence of certain files, an attacker can learn what software is installed and what programs have been executed recently on the client machine. However, the attacker cannot read or modify any files through this vulnerability.

---

Solution

Lotus plans to fix this issue in a future release of Notes.

---

Disable execution of Java applets in Notes preferences. For more details, see <http://www-1.ibm.com/support/docview.wss?uid=swg21102440&gt;.

---

Vendor Information

959207

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Lotus Software __ Affected

Notified: May 03, 2001 Updated: March 30, 2006

Status

Affected

Vendor Statement

[Lotus has published] Technote # 183400, […], which documents this issue, including workarounds:

<http://www-1.ibm.com/support/docview.wss?uid=swg21102440&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23959207 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1994&gt;
• <http://www-1.ibm.com/support/docview.wss?uid=swg21102440&gt;
• <http://java-house.jp/~takagi/java/security/lotus-notes-existence-attack/Test.html&gt;
• <http://java-house.jp/ml/archive/j-h-b/038904.html&gt;

Acknowledgements

Thanks to Hiromitsu Takagi for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2000-1117
Severity Metric:	0.06 Date Public: