A local vulnerability in a Lotus Notes for Linux configuration file could allow a malicious user to manipulate the values of essential configuration parameters and gain access to files.
When installing Lotus Notes for Linux, the default permissions for the "notesdata/notes.ini" configuration file are "666". This gives malicious local users the ability to open the file, change the values of configuration parameters and save them. The local copy of Notes would then run using these altered parameter values, which could cause Notes to operate improperly and possibly destroy or alter data.
Administrators should set permissions on the configuration file so that unauthorized users can't write to the file.
This vulnerability exists in Lotus Notes 6.0.2, and it may exist in other versions. Lotus Notes version 6.x has exhibited other vulnerabilities in the past, including a buffer overflow when handling long .zip file names, a heap overflow with long HTTP status lines, and an error in the Java Virtual Machine.
The vulnerability was discovered by a coder known as l0om who requested anonymity. l0om is a member of a team of security researchers that maintains the German Web site www.excluded.org.
"There are faulty default permissions for the important configuration file notesdata/notes.ini. [The permissions are] rw-rw-rw-," l0om said. "We could modify CleanupScriptPath to a binary in our $HOME, which could spawn a suid shell next time cleanup is executed. We could change NotesProgram to some directory in our $HOME. Notes will try to find a binary in our fake directory, which could spawn a suid shell for us."