Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Domino testing
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 23 Jul 2007 15:21:55 +0200 (ora solare Europa occidentale)

Hey,

On Fri, 20 Jul 2007, A Plasmoid wrote:

I'm new to Domino testing, and have found a few interesting databases.
I am wondering if there is anything that could be done with
them.Specifically,  there are:

cldbdir.nsf

This is the Cluster Directory: obvious information leak.

dba4.nsf

Beside the obvious information leak due to unrestricted access to the Database Analysis feature itself, there seems to be a file disclosure vulnerability affecting dba4.nsf, though i've not been able to find more details (see http://www.eeye.com/html/Products/Retina/RTHs/Web_Servers/).

You may try to check IBM's changelog and fix lists for anything mentioning a security vulnerability on dba4.nsf.

qstart.nsf

Quick Start: i don't see any immediate security implications, but the golden rule of "disable all unused/unneded stuff" should be applied.

/sample/faqw46.nsf
/sample/pagesw46.nsf (several others in sample)
/help/help5_designer.nsf (several others in help)

See above.

The ?EditDocument functionality is locked down with "basic authentication" but I can view them.There is not a lot of info (that I have found) regarding domino, so I'm hoping that some kind person here can tell me whether these things can be leveraged into a deeper level of access or not.

Here are some interesting resources about Lotus Domino/Notes security that may help in your task:

http://www.dominosecurity.org/
http://www.ngssoftware.com/papers/hpldws.pdf
http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf
http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://documents.iss.net/whitepapers/domino.pdf
http://www-128.ibm.com/developerworks/views/lotus/library.jsp
http://www-128.ibm.com/developerworks/lotus/security/
http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf

And some testing tools:

http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
http://www.cqure.net/wp/?page_id=17
http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
http://www.openwall.com/john
http://usuarios.lycos.es/reinob/
http://www.nestonline.com/lcrack/
http://www.securiteinfo.com/download/dhb.zip
http://www.cqure.net/wp/?page_id=12
Other commercial password crackers from Elcomsoft/Passware/etc.

All of the other "important" databases like names.nsf, webadmin.nsf, and others are also protected with basic auth.

If compatible with scope and legal agreement, you should try to brute force the Basic Authentication to get access to the protected databases and functionalities. Some manual password guessing also doesn't hurt;)

If you're ultimately able to get access to names.nsf, you may use my CVE-2005-2428 exploit to grab all password hashes:

http://www.0xdeadbeef.info/exploits/raptor_dominohash

Thanks for any hints, clues, and even "Google is your friend" stuff (as long as there is a corresponding reasonable search parameter ) :)

Hope this helps,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault