From: Chad Loder (cloder@loder.us)
Date: Wed Nov 27 2002 - 14:03:38 EST
Hi. There are hundreds of default Lotus Notes databases to check
for. Some of them are potentially very damaging, depending on
what version of Domino they are running. Keep in mind that
Lotus Domino has a few dozen default databases, and then factor
in all the databases that come with Lotus add-ons like SameTime,
DECS, etc.
The catalog.nsf database obviously gives you a list of other
databases that you can then look at. Keep in mind that the
catalog is not guaranteed to be up-to-date -- in other words,
there may be databases on the server which are NOT listed in
the catalog for one reason or another.
Another interesting database is the Name & Address book (typically
/names.nsf, although you can get the real location out of the
catalog database). The names.nsf database contains all sorts of
detailed information about usernames, remote servers, etc. which
should NEVER be made public.
Depending on the version of Domino is running, you can try accessing
the hidden $Users view of the Name & Address book. This view
contains the unsalted HTTP password hashes of all the users. It's
very easy to launch a dictionary attack against these hashes and
thereby further compromise the system. You would typically
look for http://victimhost/names.nsf/$Users
David Litchfield has discovered some nice vulnerabilities, including
one that lets you access the web administration template over the
web, which then lets you get a full database listing and/or read
any text files off the server. You can then exploit this to read
the NOTES.INI file, which contains all sorts of fun information,
and may give you enough information to get the server.id file
or the Administrator ID file, which you could then crack (or you
might not have to crack it, considering Lotus recommends that
you don't use a password on your server ID file). This would
let you connect back to the system as itself, using the native
NotesRPC protocol (port 1352) from a Notes client.
In my pen testing, I haven't EVER found a Notes server that
couldn't be owned by someone who knows what he's doing (me,
hehe). I've only talked about port 80 here -- there are plenty
of other Lotus Notes vulnerabilities on SMTP, POP3, DIIOP,
etc.
Lotus Notes, in general, requires a lot of work to secure.
The way they release patches is a pain in the ass (they don't
have cumulative patches between releases, which means you have
to download and run a dozen incremental installers in a row).
Their default database permissions are insecure, although they
have been getting better in this regard (R6 has decent permissions,
R5 and R4 are basically wide open out of the box).
<BLATANT PLUG>
There are tons of other databases to look for. You can use them
to crack passwords, to learn about other servers in their Notes
domain, learn about who they are replicating with and how, etc. There are
plenty of other non-database related Notes vulnerabilities to look for
as well.
You may want to try our NeXpose security scanner, which scans for
all known Lotus Notes vulnerabilities, up to and including R6 (and in
particular, it scans for tons of default databases and not only
tells you what access you have, but what that database is used for
and what the implications of it being open are). You can download
an eval version from http://www.rapid7.com
</BLATANT PLUG>
Have fun,
Chad Loder
Rapid 7, Inc.
http://www.rapid7.com
On Wed, Nov 27, 2002 at 01:28:07AM -0500, svetsanj@hotmail.com wrote:
>
>
>
>
> We are doing a penetration testing for a client who has lotus notes. We
> were able to access the catalog.nsf file from the web and other admin
> pages such as the user list page, connections page database page etc.
>
> Question is, is this just a low level threat or can a hacker use this
> info to hack further. Also clicking on some of the admin pages brings up
> a default page which says click here to access page. On a notes client
> its possible to click that page put not through http. Is there a
> workaround url that bypasses that page?
>
> SKP
>
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT