logo

Hacking the ACL

We've all been in the situation where we've locked ourselves out of the ACL and know how infuriating it can be. Well, you might like to know that you can completely remove the ACL from an NSF file using a free HEX editor like frhed.

Before you try what I am about to describe, I encourage you to make a copy of a local database so you don't do anything you regret. Change the ACL of this copy so you have no access and make sure the ACL is consistent on local replicas. Check you have no access by trying to open it in the the client. Now:

  1. Download, install and launch a copy of frhed.
  2. From frhed's file menu open the database copy you made.
  3. Find the range of bits between offset 0x16c and 0x1a7, as highlighted below. This is the ACL.
  4. Set any that aren't 00 to be 00. Two cases in the example below.
  5. Save changes to the file from frhed's file menu.

NSF file open in HEX mode

Switch back to your Notes client and try and launch the copy you had no access to. All being well, you will get in. Notice the ACL is completely blank!

This trick/hack is something I've been sat on for a while now while I plucked up the courage to make it public. It was sent to me be a regular reader who I will leave with the option of whether or not he wants to own up to the hacking side of things.

I publish this tip in the hope that you will not use it for anything other than to undo your own mistakes. Any damage you may cause while using this method is your own fault and in no way my responsibility. Blah, blah, blah.

Comments

  1. Funny that last friday i discovered how to unhide the design elements of a database using exactly the same method (a bit of curiosity and a simple hex editor).

    Although my "hacking minute" probably saved a co-workers' job it made me concerned about how security Domino really is.

    Regards,

    Guilherme Guimaraes

    • avatar
    • Jake
    • Sat 11 Oct 2003 05:35

    It also makes me wonder whether or not I should be talking about this at all. What constitutes hacking? Is there any way I could get in trouble for making such knowledge public? Makes you wonder...

    Are you going to tell us the offsets that are associated with hidded designs then Guilherme? ;o)

  2. Well, someone did get into grief by telling people about some anti piracy CD software. The fact it could be averted by holding down the shift key when the CD was loaded. But I'm pretty sure he got off!

  3. In Notes 6 you simply log on with full access administration rights :-)

    Anyway, there is another hex hack, you can manually navigate to the -default- entry in the acl and set the default access to manager.

    Regarding the unhiding of designs: Afaik you cannot unhide hidden lotusscript from Notes5 databases. One of the many tips for this area is the above code:

    Code but you just see the forms, views etc. but not the script libraries. Anyway if you encrypt all db's locally your hex editor won't be a help.

    1. Make a local copy of the database as *.NTF (working sample);

    2. Take a look at the ACL to ensure you have proper rights (Manager or Designer);

    3. Open the file in a hexadecimal editor;

    4. Go to hexadecimal address 000000BC and change the value from 20 to 00.

    5. Save the file;

    You probably don't have access to its design yet. Now the second part:

    1. create a new DB with a BLANK template;

    2. Replace the new DB design with our modified template;

    3. Now you'll be able to access its design.

    Good Luck!

    • avatar
    • Barry L
    • Sat 11 Oct 2003 06:28

    I guess that a server copy is as secure as the server's physical security and its file system security. On the client a policy of keeping all local databases encrypted is one that should be mandatory in a security minded organisation. Have you checked to see if this hack works on an encrypted replica?

  4. Here's the link to a site that teaches how to unhide a database design using a hex editor: {Link}

    It works, but the script libraries show up empty... I don't know if there's a better hack out there...

    • avatar
    • Jake
    • Sat 11 Oct 2003 06:31

    Barry. Not checked this but according to mt69clp, it won't work.

    Thanks Sandra.

    • avatar
    • Barry L
    • Sat 11 Oct 2003 06:32

    Jake, what determines posting time in your blog? I'm posting this at 12:31 GMT but it will come out as 06:31 ish based on previous post...

  5. Jake,

    I'm using 5.0.8 and I've successfuly unhidden the design of a few databases...

    But, as I said, script libraries show up empty...

  6. On whether to talk about this - yes, it was the right thing to do. Forewarned is forearmed.

    Sean

  7. This is a good tool

    {Link}

    • avatar
    • Jerry Carter
    • Sat 11 Oct 2003 09:31

    I don't know about encrypted databases, but with hidden designs, the script libraries appear in the hex file as clear text. You can always search for something, though it isn't always clear as to what bit of the design you're looking at.

  8. I agree with Sean - this stuff can make Notes a better product (if IBM can react to it).

  9. Your hack assumes that the "Enforce Consistent ACL" flag is in effect on your local database. (Otherwise, you would not need to "hack" in) I just wanted to point out that you can simply change that flag with just the smallest amount of code.

    Using the C++ API, here it is in 7 lines:

    LNNotesSession session;

    LNDatabase db;

    LNACL acl;

    db.Open(LNDBOPENFLAGS_NO_USER_INFO);

    db.GetACL(&acl);

    acl.SetUniformAccess(FALSE);

    acl.Save();

    While writing this program might take slightly longer than using a HEX editor, its probably safer. Once its coded of course, its faster too. I've coded a very simple exe which can toggle this flag for you at:

    {Link}

    • avatar
    • laurens
    • Sat 11 Oct 2003 11:07

    It seems your love affair with Notes is definitely over, when you tell the world the secrets that make her spread her legs ;-)

    • avatar
    • pF
    • Sat 11 Oct 2003 11:37

    I'd say this was more cracking than hacking. But then it's not really illegal because in essence your modifying a file you have created - albeit in a lotus form. Whats the difference between this and editing a HTML document in notepad? It's not like the NSF file contains product source code or anything!

    • avatar
    • mike
    • Sat 11 Oct 2003 17:54

    Wow, nice !

    My computer crashed 6 months ago and i was running R6 and i only managed to make a copy of my 3 year old mail file.

    Being R6 it locked me out of the database (no id file backedup, never needed to before)

    HOPEFULLY this may help me !

    • avatar
    • Stephen Neal
    • Tue 11 Nov 2003 03:11

    Oh come on Laurens, talk about an over reaction, people have been hacking into products for years, just because Jake reveals information about getting into Notes - which by the way has been around for quite a while - does not make him a traitor.

    • avatar
    • Stephen Neal
    • Tue 11 Nov 2003 03:13

    Sorry Laurens - looks for desk to hide under - didn't notice the smiley... Jake you need to add a 'delete' comment action !

  10. I think our role as part of a community (modestly including myself) is keep the product getting better and better through time. Making this issues public will bring tips and good practices to avoid them too.

    P.S: Jake, i've used the same method as described by mt69clp. By the way, found in the Lotus Developer Domain.

  11. Guilherme,

    I appreciate the sentiment of that argument. The thing that occurs to me, though, is: if we can ferret out which address to mangle with a hex editor... how could the product ever be made immune against such manipulation?

    Having asked the question... an answer is now coming to mind. Anybody remember what the 8th bit is for in TTY 7 bit ? :-)

  12. Folks, this is cool for sure, but there's nothing here that's going to get anybody in trouble, or that's going to require IBM to improve the product. IBM has never claimed that any of Domino's security features -- other than encryption -- could withstand attack by someone with physical access to the NSF file and a hex editor. E.g., ReaderName fields also will not protect data against someone with physical access to an unencrypted server-based replica. Real data security can only be achieved through proper physical security, good quality passwords, and encryption.

    -rich

  13. Ahh.

    As a Domino software developer, I have to state that .nsf files *do* contain product source. Should you *only* be relying on the "hide design", as you point out, your stuffed.

    Most script libraries and agents store the LS source in the document for that design object. So its very easy once you've globally recompiled (in a template copy of your Db) to destroy this field, thus preventing some unscrupulous b*st*rd stealing your hard-worked private source..

    Well - its what we do. Cynical ? Yes. Oh - and *do* make frequent backups...

    ---* Bill

  14. I wrote a C API program called ACLHelp which is freely available on OpenNTF.org. It allows you to gain access to any database assuming you have access to the physical file. So the fact you can gain access in this way is VERY old news and no hex editors are required. The only way to properly protect databases like this is encryption.

    Bill - my understanding is that only object code is available in an R5 or R6 database with a hidden design. Although you can hack your way in with an API call, the source code is not available. This was a change from 4.6 where if you managed to remove the hide design flag you could see the source code.

    • avatar
    • Jim G
    • Thu 13 Nov 2003 04:32

    As an Administrator have you ever needed to access a users mailfile when they (the user) have deliberately removed all trace of Admins from the ACL.

    Open up the mailfile template, add a db queryopen that re-populates the ACL with whatever. Refresh the design of the mailfile. Next time the user opens his mailfile he will unknowingly grant you access.

    This is common Admin practise and isn't hacking exactly but might be construed as invasion of personal space. What's the diffrence ?

  15. but the problem is that cannot get the hideen agent and script code!is there any other solution can solve this problem?

    • avatar
    • A Colleague
    • Thu 20 Nov 2003 14:41

    This is one I really think you SHOULD have sat on, but now the Genie is out of the bottle. I would suggest removing this thread.

    • avatar
    • Morris
    • Fri 5 Nov 2004 06:38

    Hi folks. Is it possible to decrypt a users .nsf mail database without his id. I have a stickler of a problem and I'm a bit green on Lotus. Thanks.

  16. hi Morris. Were you able to solve your problem? Coz I have the same thing and any opinion is greatly appreciated. :) Thanks in advance. Please mail me whenever you have an idea. :)

    • avatar
    • Burt
    • Mon 17 Jan 2005 10:33

    This thread has been very helpfull. Eventhough it brings up certain security issues it is good that this info is available on the web. It's a bitch when someone leaves the company and decides not to share their password with me (I'm the sys admin)! Thanks, you have just saved me alot of work.

    • avatar
    • Me
    • Mon 31 Jan 2005 07:29 PM

    Find a mail file and simply double click it from a network location :O

  17. Update for ODS 43: Just clear out the 12 01 in that range. Do not clear anything else or the database becomes corrupt.

    Had to use this today... got myself with the Enforce Consistent ACL setting. Doh!

    • avatar
    • Mart
    • Mon 9 Oct 2006 01:16 PM

    Is this tool frhed suppose to be able to hack notes 7 ACL??

    I did exactly what u are suggesting i.e. set 00 in the specified range but still poping local access authorisation access message... can't get in!!!

    Any ideas why?

    Thanx

    • avatar
    • Max Ng
    • Mon 27 Aug 2007 12:48 PM

    I try that on my Notes 7 mail.nsf, apparently not working anymore. Got myself lockout when I forgotten my long tedious password of my notes.id

    • avatar
    • RPV
    • Fri 1 Feb 2008 02:28 PM

    On Lotus Notes 7 & 8 mail.nsf files, I too discovered that the range bits described above didn't affect the ACL. Apparently, Lotus changed things around. I'm sure they had their reasons. I finally and successfully cleared out the ACL by experiementing on a local copy on each set that only included two pairs of bits. The ACL cleared by adding zeroes to the range of bits between offset 440 =0x1b8 and 0x1b9.

    Hope it works for you.

    • avatar
    • Razvan
    • Thu 22 Oct 2009 01:34 AM

    Hello,

    I have a problem with a Lotus 6.5 archive. I copied it unfortunately in an encrypted file and then I have reinstalled my Windows. In this way I have lost my encryption key and now I cannot open my archive anymore. Is it a way to recover my archive?

    Thank you!

    • avatar
    • Sia
    • Thu 2 Sep 2010 11:18 AM

    Hello all,

    This here seems to be the most adequate forum with tricks on Lotus Notes. I work at a Service Desk and i have a customer, who apparently can't be helped by anyone from any of our support teams...:S He has Archives, that he has created with local encryption and has been using them for the past 8 years. He created them with his initial ID file. About 2 weeks ago he had called one of my agents, because he had forgotten his ID File password. The agent tried to reconfigure the whole thing by editing the notes.ini file and tried to send the user his initial ID File from the Database. Strangely enough, the ID File was not there, apparently his original ID File came from an older database, that is not used anymore and noone knows what it was or who can look into it. So our 2nd level team dispatched to 3rd level and 3rd level created a new ID File. User was then able to access everything but his archives (obviously). We tried looking for the old ID file, so we can try cracking it, on his backups, but to no avail. I really want to help this guy even though it's not my responsibility anymore. Do any of you know a way to crack an archive's local encryption? Any help will be appreciated.

    Sia

  18. Very nice trick. Still works!

    • avatar
    • noname
    • Wed 15 Feb 2012 09:05 PM

    Is there a hack to undo the locally encrypted mail database too?

    • avatar
    • Mike
    • Thu 12 Apr 2012 01:57 PM

    I've had this page bookmarked for about 5 years, and today I had to come back to reference it. It's very handy. Please never take it down.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Mon 10 Nov 2003

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content