From: jalvare7@cajastur.es
Date: Wed Mar 08 2006 - 03:18:02 EST
Hi,
You'll need some docs:
http://www.ibm.com/developerworks/lotus/library/
A lot, I know, but there you'll find answers to your questions.
Look also the latest vulnerabilities discovered in Lotus Domino:
http://www-128.ibm.com/developerworks/lotus/security/
Now, I see there the Lotus HTTP daemon, so pretty sure you have iNotes
(webmail) there. There are
quite many issues with that service and the Donino web server, In fact
most Domino published problems
I've seen have to do with them.
First is to know the Lotus version. Though the web interface probably wont
give you any
banner even for errors (try it anyway), I believe the visual appearance of
the interface is
different between versions, that can at leat tell you if it's a 5 or 6
version. You can also try some
social engeneering and investigate on how old the installation is. Note
that there's no
patching with Lotus Notes (that I know), but to fix vulnerabilities you
have to upgrade version
which is a non-trivial and constly thing to do that most admins will give
an ugly face at.
Lotus Domino users in general have a false understanding that Lotus is a
"very secure"
platform, in part because it is propietary in it's core architecture and
not easily found out
of corporate land. So, you can work on the assumption that from the
installation up there hasn't
been any fixing.
Port 1352 will probably dissapoint you for Lotus speaks a RPC protocol
there, and unless you
are trying some proof of concept exploit there, or feel like doing some
protocol analysis...
There's one very recent vulnerability there reltated to the authentication
process, probably the
most juicy result you cound expect to find on the vulnerabilities ground.
Also, there are known
problems with the passwords used for web access, that's something you'll
also want to
check. There are some tools to test web passwords, like Lodowep, I've
never tried generic
password crackers.
The Lotus Notes client will need an ID file to do anything; If you don't
have one, look around for it.
Some clues: many times it's installed in the user box under the lotus
installation folder. If you can
penetrate a user desktop you can get one. If that user is the Lotus admin
you could get to impersonate
her/him. There could also be some in some shared folder, and there most
probably are some in the
server itself (try to exploit some W2K problem). Once you have it you'll
also need the ID password.
I only know of one tool to crack that ID files passwords, and it is
commercial (ID Password Recovery).
Do no change that password because if the server is configured to check
it, it will complain when
the real user next authenticates, alerting of your activities. Mind, Lotus
Notes logs are nasty and
mostly unhelpful in my experience (I really would thank anyone who could
correct me by explaining
how to use them effectively). You could be banging on the login for of the
web client and not leaving
any trace (at the logs).
Once you have access to Lotus Notes with any user's ID, go and look for
unprotected databases
(be very carefull to only check access control in the properties of the
database and not opening any if your
assignment does not explicitly allow you). One database that everyone can
read, is the Lotus Diccionary,
named "names.nsf". That's a real piece of cake for you can not only find
out who's who, but also give
a look at all aspects of the Lotus Domino server configuration (I consider
that a built-in vulnerability on
the part of the product). Note that names.nsf could also be browsed from
the web interface in most cases,
even when the user has no access permision to any database through the
web.
Hope you found all this long reading helpful :-)
--------------------------------------------
Hi,
I'm doing an external blackbox PT on a mail server running Lotus
Domino. The server OS is Windows 2000 and web server is Lotus Domino.
It has following ports open:
80 - Lotus Domino httpd
443 - Lotus Domino httpd
1352 - Lotus Domino server
5631 - PCAnywhere
During a manual assessment I discovered "admin4.nsf" on server,
accessible without any sort of authentication. It is suppose to be
the Administrator Request Database. From the name I suppose this
should be something that shouldn't be visible to everyone. I don't
have any experience in Lotus Domino. I read a couple of docs on
Internet but couldn't get the real implication of such a
vulnerability. I'm a little hesitant to perform any actions with the
interface as it might disrupt some activities on the server and client
might not like it.
Is there anybody on the list who could guide me on the implication of
this vulnerability and how to get a proper sense of it. What are the
functionalities of 'admin4.nsf' and what damage could it do if an
un-authenticated user has access to it.
Looking forward to some enlightenment on this topic.
Now I'm going to downlaod a Lotus client and see what I can do with
the other open port "1352", looks like another hole from where I can
find my way in.
Thank you.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic
Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:38 EDT