Domino WebAdmin.nsf priviledge escalation

From: Kamil Golombek (kamil.golombek@bdo-it.com)
Date: Wed Sep 03 2003 - 01:11:11 EDT

• Next message: Gerald Cody Bunch: "RE: *** GMX Spamverdacht *** Remotely starting the "server" process on win XP"
• Previous message: Jon Hart: "Re: device connection hijacking"
• Next in thread: nee cee: "Re: Domino WebAdmin.nsf priviledge escalation"
• Maybe reply: nee cee: "Re: Domino WebAdmin.nsf priviledge escalation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello all,

I would like to ask you a question about a possibility to escalate
priviledge within a webadmin.nsf. During pentesting I've found a Domino
server with 443 port open. The version is LN 5.0.8, so I tried a known
[250+] attack to bypass Domino autentization ... with a quite good success.
But Webadmin.nsf still identify me as ANONYMOUS connection, so few functions
or tools are accessible, but most of them still require user name and
password.

The question is, if there is any way how to
    1) try some default passwords (I wasn't succesfull in finding them)
    2) or change this exploit a little bit to get some kind of administrator
rights (they have many possible roles, if I understand it well).

I don't want to try password guessing (or at least not yet).

When I looked at the source of javascript generated by webadmin.nsf, I
noticed that there are before every subfunction / tool definition also
expressions like LEVEL=1 etc. and there is a variable like "user"=anonymous.

Except of this, I discovered and could download logs by /domlog.nsf, where I
can find various information about users, structure of folders etc. Also
directory download exist (with few files) and finaly /domjava/some.cab is
accessible and then /domjava/view.properties - but I wasn't able to open it
within any program I have.

I feel that this server is nearly finished from pentest point of view, but I
would like to gain last nail, if possible.

Thank you for any help

Kamil Golombek

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------

• Next message: Gerald Cody Bunch: "RE: *** GMX Spamverdacht *** Remotely starting the "server" process on win XP"
• Previous message: Jon Hart: "Re: device connection hijacking"
• Next in thread: nee cee: "Re: Domino WebAdmin.nsf priviledge escalation"
• Maybe reply: nee cee: "Re: Domino WebAdmin.nsf priviledge escalation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT