Lotus Domino Hack

dominohackIn 1997 while working in the Marketing group at IBM Storage Systems Division Scott conceived of the idea for an Extranet to link IBM’s biggest OEM Storage customers: HP, Apple, Dell, Bell Micro, etc… together with manufacturing, sales, and R&D, using a new technology called Lotus Domino. Domino was a web interface to Lotus Notes. Scott named this new marketing product the “IBM Edge” and the name stuck for four years. To give you an idea of the scope of this project it provided ALL of a customer’s own relevant SAP CRM data, and all the information on all the products they’d purchased, including confidential manufacturing and R&D reports, and in some cases, it also enabled electronic ordering. In 1999 this system booked over $2B in electronic orders, making it the #2 system in the world behind IBM’s own PC business, or so we were told. It earned Scott an Outstanding Technical Achievement Award (OTAA), and a trip to IBM’s Boardroom, and this isn’t even the interesting part.

During development of the “IBM Edge” system, and prior to it going live, Scott asked one of his developers, Nick Bushnell, to start a project to build a Lotus Domino Cracking tool. Scott outlined the program flow, identified all the known hacking tricks he’d developed by hand, 57 in total, and demonstrated how Nick could programmatically expand on these. At this point, Scott had also informed the Division CTO & Information Asset Security person of the Lotus Domino flaws he’d discovered and asked that she contact Lotus. By this time IBM had owned Lotus for roughly a year. After two weeks of development, and while Scott was out sick one day, he was informed that the program had been completed. They arranged to test it the next day on some internal systems. That evening the programmer, and another on Scott’s team, Matt Wuebbling, chose to run the tool on each of our internal servers and found nothing. They assumed it didn’t work so they ran it on Notes.net, and several other well-known Lotus owned/controlled websites. Furthermore, when the tool pointed out vulnerabilities at Notes.net, these two tested one of them. They remapped Notes.net/support to a dummy page on one of our team’s external IBM servers.

Now here’s where the story becomes interesting, nothing happened, so Nick went home while Matt decided to stay late. Well, we soon learned that Lotus’s servers rebooted at midnight, the changes they’d made had taken effect, and we were receiving 100 legitimate hits an hour for Lotus Support to our bogus test page.

That next morning Scott got a call at home from Matt at 7 AM. Now at that time, Matt was the kinda guy whose eyes didn’t normally open till at least 9 AM on a “work day,” and he’s asking Scott when he’s coming in. Scott said shortly and asked, “Why?” Matt requested that Scott rush as it was serious, but Matt would provide no more details. When Scott arrived Matt laid out what had transpired, then they dove into their server logs to see if Lotus had launched a counter-attack.

From Midnight till 6 AM, Eastern time, Lotus’s Support page was mapped to our dummy page, which received over 500 hits. Then traffic stopped, and things heated up. For the next 45 minutes, Lotus attempted to hack our IBM server using the same tricks we’d used. Having designed our security scanning program, Scott had already locked down ALL his servers, internal and external, against the 57 flaws they’d already uncovered and reported to Lotus. The fact that IBM owned Lotus and that Lotus tried to hack us and failed was an integral part of Scott’s defense of his team when Lotus had requested later that day that they all be fired, then arrested. Scott dodged a bullet with this hack. It took Scott several very tense meetings with the IBM corporate council, Lotus (via teleconference), the Division CTO and HR to get things straightened out. In fact, at the first meeting, Scott had walked in and had known everyone in the room except one person. She then introduced herself as the director of HR and requested that Scott sit next to her, and then she said that “I’m here for you.” She implied it was to help, but her role fortunately never played out.

A week later Scott met with Lotus executive, the same guy who had wanted them fired, and later that week IBM Research’s Tiger Team (white hats), and released his team’s code to both groups. One final note, shortly after the above incident Scott received an Outstanding Technical Achievement Award, one of IBM’s highest awards, for his work on the IBM Edge (internally called “HDD Partner Info”).

OTAA