Penetration Testing mailing list archives

Re: Vulnerability discovered on Lotus Domino server "admin4.nsf"

From: jalvare7 () cajastur es
Date: Wed, 8 Mar 2006 09:18:02 +0100

Hi,

You'll need some docs:

http://www.ibm.com/developerworks/lotus/library/

A lot, I know, but there you'll find answers to your questions.
Look also the latest vulnerabilities discovered in Lotus Domino:

http://www-128.ibm.com/developerworks/lotus/security/

Now, I see there the Lotus HTTP daemon, so pretty sure you have iNotes 
(webmail) there. There are
quite many issues with that service and the Donino web server, In fact 
most Domino published problems 
I've seen have to do with them.

First is to know the Lotus version. Though the web interface probably wont 
give you any 
banner even for errors (try it anyway), I believe the visual appearance of 
the interface is 
different between versions, that can at leat tell you if it's a 5 or 6 
version. You can also try some
social engeneering and investigate on how old the installation is. Note 
that there's no 
patching with Lotus Notes (that I know), but to fix vulnerabilities you 
have to upgrade version
which is a non-trivial and constly thing to do that most admins will give 
an ugly face at.
Lotus Domino users in general have a false understanding that Lotus is a 
"very secure"
platform, in part because it is propietary in it's core architecture and 
not easily found out
of corporate land. So, you can work on the assumption that from the 
installation up there hasn't 
been any fixing.

Port 1352 will probably dissapoint you for Lotus speaks a RPC protocol 
there, and unless you
are trying some proof of concept exploit there, or feel like doing some 
protocol analysis... 
There's one very recent vulnerability there reltated to the authentication 
process, probably the
most juicy result you cound expect to find on the vulnerabilities ground. 
Also, there are known
problems with the passwords used for web access, that's something you'll 
also want to 
check. There are some tools to test web passwords, like Lodowep, I've 
never tried generic
password crackers.

The Lotus Notes client will need an ID file to do anything; If you don't 
have one, look around for it.
Some clues: many times it's installed in the user box under the lotus 
installation folder. If you can 
penetrate a user desktop you can get one. If that user is the Lotus admin 
you could get to impersonate
her/him. There could also be some in some shared folder, and there most 
probably are some in the
server itself (try to exploit some W2K problem). Once you have it you'll 
also need the ID password. 
I only know of one tool to crack that ID files passwords, and it is 
commercial (ID Password Recovery). 
Do no change that password because if the server is configured to check 
it, it will complain when 
the real user next authenticates, alerting of your activities. Mind, Lotus 
Notes logs are nasty and 
mostly unhelpful in my experience (I really would thank anyone who could 
correct me by explaining 
how to use them effectively). You could be banging on the login for of the 
web client and not leaving 
any trace (at the logs).

Once you have access to Lotus Notes with any user's ID, go and look for 
unprotected databases
(be very carefull to only check access control in the properties of the 
database and not opening any if your 
assignment does not explicitly allow you). One database that everyone can 
read, is the Lotus Diccionary,
named "names.nsf". That's a real piece of cake for you can not only find 
out who's who, but also give 
a look at all aspects of the Lotus Domino server configuration (I consider 
that a built-in vulnerability on 
the part of the product). Note that names.nsf could also be browsed from 
the web interface in most cases,
even when the user has no access permision to any database through the 
web.

Hope you found all this long reading helpful :-)

--------------------------------------------

Hi,

I'm doing an external blackbox PT on a mail server running Lotus
Domino. The server OS is Windows 2000 and web server is Lotus Domino.
It has following ports open:

80 - Lotus Domino httpd
443 - Lotus Domino httpd
1352 - Lotus Domino server
5631 - PCAnywhere

During a manual assessment I discovered "admin4.nsf" on server,
accessible without any sort of authentication.  It is suppose to be
the Administrator Request Database. From the name I suppose this
should be something that shouldn't be visible to everyone. I don't
have any experience in Lotus Domino. I read a couple of docs on
Internet but couldn't get the real implication of such a
vulnerability. I'm a little hesitant to perform any actions with the
interface as it might disrupt some activities on the server and client
might not like it.

Is there anybody on the list who could guide me on the implication of
this vulnerability and how to get a proper sense of it. What are the
functionalities of 'admin4.nsf' and what damage could it do if an
un-authenticated user has access to it.

Looking forward to some enlightenment on this topic.

Now I'm going to downlaod a Lotus client and see what I can do with
the other open port "1352", looks like another hole from where I can
find my way in.

Thank you.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to 
proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic 
Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 

results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------





------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------

Current thread:

Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 07)
- RE: Vulnerability discovered on Lotus Domino server "admin4.nsf" Enrique A. Sanchez Montellano (Mar 07)
- Message not available
  - Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 07)
    - RE: Vulnerability discovered on Lotus Domino server "admin4.nsf" Enrique A. Sanchez Montellano (Mar 07)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" Alex Kloss (Mar 07)
- <Possible follow-ups>
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
  - Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 09)
- Re: Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" ron (Mar 28)