Re: Domino WebAdmin.nsf priviledge escalation

From: nee cee (nc@phat.co.nz)
Date: Wed Sep 03 2003 - 19:50:54 EDT


Kamil

not sure if you are familiar with the pdf whitepaper on the ngs software site http://www.nextgenss.com/papers/hpldws.pdf with regards to hackproofing domino web server. It talks about gaining access to the webadmin template.

"Kamil Golombek" <kamil.golombek@bdo-it.com>
        09/03/2003 03:11 PM
                 
                 To: <pen-test@securityfocus.com>
                 cc:
                 Subject: Domino WebAdmin.nsf priviledge escalation

Hello all,

I would like to ask you a question about a possibility to escalate
priviledge within a webadmin.nsf. During pentesting I've found a Domino
server with 443 port open. The version is LN 5.0.8, so I tried a known
[250+] attack to bypass Domino autentization ... with a quite good success.
But Webadmin.nsf still identify me as ANONYMOUS connection, so few functions
or tools are accessible, but most of them still require user name and
password.

The question is, if there is any way how to
    1) try some default passwords (I wasn't succesfull in finding them)
    2) or change this exploit a little bit to get some kind of administrator
rights (they have many possible roles, if I understand it well).

I don't want to try password guessing (or at least not yet).

When I looked at the source of javascript generated by webadmin.nsf, I
noticed that there are before every subfunction / tool definition also
expressions like LEVEL=1 etc. and there is a variable like "user"=anonymous.

Except of this, I discovered and could download logs by /domlog.nsf, where I
can find various information about users, structure of folders etc. Also
directory download exist (with few files) and finaly /domjava/some.cab is
accessible and then /domjava/view.properties - but I wasn't able to open it
within any program I have.

I feel that this server is nearly finished from pentest point of view, but I
would like to gain last nail, if possible.

Thank you for any help

Kamil Golombek

----------------

_____________________________________________________________
Sign up for FREE email @ www.phat.co.nz and get your own @phat.co.nz address!
muzic n' more @ http://www.muzic.net.nz\n\nDisclaimer: phat.co.nz accepts no responsibility for the actions of it's members.

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT