Re : Lotus Domino password bypass

[Nicolas Gregoire <ngregoire () exaprobe com>]

04/02/2002 04:00:52, "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar> wrote :

> Summary
> -------
> A security vulnerability has been found in the popular Lotus Domino Web server.
> Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs,  this   files
> are protected by password.  I discover that is posible to bypass this  password
> if you create a malformed url.

> Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/
> data/" directory nas Notes Templatesi '.ntf' are store in the same  place (Here
> is the goal).

My 0.2 Euros :

- this problem is (quite) old news and is described in details in a David Litchfield paper.  
This file can be downloaded at http://www.nextgenss.com/hpdws.zip

- you have (a little) mis-understood the problem.
Quoted from the "Hackproofing Lotus Domino Web Server" doc :

"Another method of tricking Domino into opening the Web Administrator template is
through the use of buffer truncation. By making the following request
http://server/webadmin.ntf++++++_250_pluses+++++.nsf/
access to webadmin.ntf is granted. This works because Domino attempts to protect itself
from buffer overrun attacks and chops a user request down to a safe size. In terms of
events here's what happens. Domino receives the request and converts all the pluses to
spaces and sees it has a .nsf file extention and therefore loads the database parser. The
database parser chops the end off of the request, (thus removing the .nsf)  to prevent any
buffer overrun and then looks in the lotus\domino\data directory for the file, webadmin.ntf
<space><space><space>.... which it finds and then opens. Thus again the attacker can
use webadmin.ntf's functionality."



Nicob