Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Lotus Notes
From: "WEISZ-KOVES, Aaron" <aweisz-koves () WESTPAC COM AU>
Date: Thu, 28 Sep 2000 11:31:32 +1100

I'd say to avoid allowing NRPC out of the firewall to the Internet if
possible. Main reason to be concerned is that Notes ID files are a pretty
big risk - they are a great method of authenticating, validating and
maintaining encryption, but there is no way to prevent someone brute-forcing
the ID file if the can get a hold of it In most cases I've seen the ID files
are either attached to the person document in the NAB or left lying around
in some world-readable directory on the network because this makes it easier
for the users to move around.

The only DOS attack I am aware of for Domino is to continually request an
agent in a database to tie up resources. The only real danger here is if the
permissions on a database are set to allow an anonymous user to execute an
agent, which would seem to indicate a lack of care in the rest of the server
configuration that probably means there would be bigger problems with the
configuration anyway.

The main concern with allowing NRPC from the Internet to the Lotus
Notes/Domino server is the inability to prevent a process of privelage
escallation. One of the great things about Domino is the ability to set a
maximum level of use through the http ports to effectively limit what
someone can do externally (if NRPC is not allowed out) down to say, Author.
But the server might not have been configured to use secure internet
passwords, or maybe the NAB contains some ID files. Domino doesn't lock
after a number of bad password attempts, so an NAB that is readable via http
will allow someone to take a stab at a username (and Domino is often
configured to pattern match an Internet username to the real user account,
so I could guess "John G" and probably come up with a matching account),
which will probably let me into the NAB, where I can find myself another
more privelaged account to break or maybe some ID files which would allow me
to come back and use the NRPC access rights of the user - maybe http said I
could only be a maximum of an Author, but the account I grabbed is a Manager
of a database on the system via NRPC. On my Web servers I make sure that any
database not explicitly required has No access set as the maximum http
access, and because I'm paranoid I remove webadmin.nsf and webadmin.ntf. I
don't like the ability to modify group memberships and everything else in
the Web administrator being protected only by a password that is probably
passed in the clear because no one thought to use SSL.

In summary I think having NRPC (tcp/1352) accessible from the Internet
undermines what I consider to be the best Web security function of Domino -
the maximum Internet access setting the ACL. It also means you can't stop an
external server using a stolen server ID in conjuntion with a SYN flood to
the legitimate server from accessing your domain as a localdomainserver, and
imagine the havoc that could cause. But there are adequate configuration
controls in Domino that can minimise the risk, they just are never used by

But these are just my ideas. As I have voiced on this list before, I'd
really like to find someone who can help me try these techniques. Who knows,
maybe Lotus Notes/Domino is actually as secure as everyone likes to assume
it is.

Aaron (Ari) Weisz-Koves
Consultant - NT Security - Operational Risk
Ph. 9902 (5) 6317
PGP fingerprint: 1DBF CDD8 ED19 BFB8 9ED1  738B 62A2 9DBC 7F3F FFD4

-----Original Message-----
From: D V [mailto:mysecurite () YAHOO FR]
Sent: Wednesday, 27 September 2000 9:49 PM
Subject: [PEN-TEST] Lotus Notes

Hi everybody,

I would like to have your opinion regarding a point on
Lotus Notes Security. Imagine you have a Lotus Notes
Server connecting to the Internet, you can have access
to databases througth HTTP and access to the TCP port
1352 (Lotus Notes port).

So what is the risk associated to have the 1352 port
open on the Internet ? Intrusion, DoS ?
And how to exploit the vulnerability ?

Thanks by Advance.

Do You Yahoo!? -- Pour dialoguer en direct avec vos amis,
Yahoo! Messenger : http://fr.messenger.yahoo.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]