Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Pen-Testing Lotus Notes/Domino

From: jjore () imation com
Date: Tue, 9 Oct 2001 16:08:52 -0500
While most of the points this presentation raises are correct, there are a 
few gotchas:

No password server.id files:
Yes, this is normal. You are expected to keep these files secure. Do not 
grant file system access to the server to non-admins. (as an aside, you 
can corrupt databases by allowing network file system access on a running 
server anyway).

database.nsf?$DefaultNav?OpenNavigator
See also $DefaultForm?OpenForm, $DefaultView?OpenView.

HTTP password is visible.
The *hashed* password is visible to notes client users. The default 
behaviour is to use a slightly less secure hash which is vunerable to 
dictionary attacks. They may be upgraded to a salted hash.

ID files in the address book
This is a setting and isn't nessessarily the default

HTTP password = ID password.
That's just hoey and is not correct. It is not uncommon for users/admins 
to make this happen but it doesn't happen out of the box. This is just a 
"What, I need *another* password?" issue.

Stored Forms
<<Explained in detail>>
Yes exactly, go pick up a book on Domino development. The key here is to 
create a database with a form, embed whatever mal-code you wish, set the 
form to 'stored' and then have the form mail itself to users. This is 
where the ECL protects you from untrusted users.

I would also add the additional point that notes RPC traffic is not 
encrypted by default. While you won't be able to get someone's id file or 
password by sniffing you can get document contents. Also, while the RPC 
hasn't been reverse engineered (to my knowledge) it still may be in the 
future. There are probably one or two holes in that.

Lastly, I'm not sure whether Lotus has deemed it a bug or not but using 
the API call NSFDbReadObject you can extract file attachments regardless 
of document security. See recent bugtraq traffic on Notes for more info.

Joshua b. Jore




"Enno Rey" <erey () security-academy de>
10/09/01 02:28 PM

 
        To:     "Johann van Duyn" <Johann_van_Duyn () bat com>, <pen-test () securityfocus com>
        cc: 
        Subject:        RE: Pen-Testing Lotus Notes/Domino


Hi,

take a look at

http://www.blackhat.com/presentations/bh-europe-00/TrustFactory/Trustfactory
.ppt

Lots of valuable info for a pentest or audit in it...

Regards,

Enno Rey


-----Original Message-----
From: Johann van Duyn [mailto:Johann_van_Duyn () bat com]
Sent: Dienstag, 9. Oktober 2001 11:55
To: pen-test () securityfocus com
Subject: Pen-Testing Lotus Notes/Domino


Hi there...

I am about to do a security audit (of the semi-pen-test variety) on a
network with Lotus Domino and Notes R5 running on it.

I am a bit out of my depth regarding Domino and Notes, being a bit of an
Exchange fan myself. Can anyone give me a few pointers and possible 
gotchas
that could benefit me (and, ultimately, the company I'm working for) in
this?

Much appreciated.

:-)

Johann
Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert 
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please 
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert 
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please 
see:
https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: