Re: Domino testing

[Marco Ivaldi <raptor () mediaservice net>]

Hey,

On Fri, 20 Jul 2007, A Plasmoid wrote:

> I'm new to Domino testing, and have found a few interesting databases.
> I am wondering if there is anything that could be done with
> them.Specifically,  there are:
>
> cldbdir.nsf

This is the Cluster Directory: obvious information leak.

> dba4.nsf

Beside the obvious information leak due to unrestricted access to the 
Database Analysis feature itself, there seems to be a file disclosure 
vulnerability affecting dba4.nsf, though i've not been able to find more 
details (see http://www.eeye.com/html/Products/Retina/RTHs/Web_Servers/).

You may try to check IBM's changelog and fix lists for anything mentioning 
a security vulnerability on dba4.nsf.

> qstart.nsf

Quick Start: i don't see any immediate security implications, but the 
golden rule of "disable all unused/unneded stuff" should be applied.

> /sample/faqw46.nsf
> /sample/pagesw46.nsf (several others in sample)
> /help/help5_designer.nsf (several others in help)

See above.

> The ?EditDocument functionality is locked down with "basic 
> authentication" but I can view them.There is not a lot of info (that I 
> have found) regarding domino, so I'm hoping that some kind person here 
> can tell me whether these things can be leveraged into a deeper level of 
> access or not.

Here are some interesting resources about Lotus Domino/Notes security that 
may help in your task:

http://www.dominosecurity.org/
http://www.ngssoftware.com/papers/hpldws.pdf
http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf
http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://documents.iss.net/whitepapers/domino.pdf
http://www-128.ibm.com/developerworks/views/lotus/library.jsp
http://www-128.ibm.com/developerworks/lotus/security/
http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf

And some testing tools:

http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
http://www.cqure.net/wp/?page_id=17
http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
http://www.openwall.com/john
http://usuarios.lycos.es/reinob/
http://www.nestonline.com/lcrack/
http://www.securiteinfo.com/download/dhb.zip
http://www.cqure.net/wp/?page_id=12
Other commercial password crackers from Elcomsoft/Passware/etc.

> All of the other "important" databases like names.nsf, webadmin.nsf, and 
> others are also protected with basic auth.

If compatible with scope and legal agreement, you should try to brute 
force the Basic Authentication to get access to the protected databases 
and functionalities. Some manual password guessing also doesn't hurt;)

If you're ultimately able to get access to names.nsf, you may use my 
CVE-2005-2428 exploit to grab all password hashes:

http://www.0xdeadbeef.info/exploits/raptor_dominohash

> Thanks for any hints, clues, and even "Google is your friend" stuff (as 
> long as there is a corresponding reasonable search parameter ) :)

Hope this helps,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------