Penetration Testing mailing list archives
Re: Vulnerability discovered on Lotus Domino server "admin4.nsf"
From: jalvare7 () cajastur es
Date: Wed, 8 Mar 2006 09:18:02 +0100
Hi, You'll need some docs: http://www.ibm.com/developerworks/lotus/library/ A lot, I know, but there you'll find answers to your questions. Look also the latest vulnerabilities discovered in Lotus Domino: http://www-128.ibm.com/developerworks/lotus/security/ Now, I see there the Lotus HTTP daemon, so pretty sure you have iNotes (webmail) there. There are quite many issues with that service and the Donino web server, In fact most Domino published problems I've seen have to do with them. First is to know the Lotus version. Though the web interface probably wont give you any banner even for errors (try it anyway), I believe the visual appearance of the interface is different between versions, that can at leat tell you if it's a 5 or 6 version. You can also try some social engeneering and investigate on how old the installation is. Note that there's no patching with Lotus Notes (that I know), but to fix vulnerabilities you have to upgrade version which is a non-trivial and constly thing to do that most admins will give an ugly face at. Lotus Domino users in general have a false understanding that Lotus is a "very secure" platform, in part because it is propietary in it's core architecture and not easily found out of corporate land. So, you can work on the assumption that from the installation up there hasn't been any fixing. Port 1352 will probably dissapoint you for Lotus speaks a RPC protocol there, and unless you are trying some proof of concept exploit there, or feel like doing some protocol analysis... There's one very recent vulnerability there reltated to the authentication process, probably the most juicy result you cound expect to find on the vulnerabilities ground. Also, there are known problems with the passwords used for web access, that's something you'll also want to check. There are some tools to test web passwords, like Lodowep, I've never tried generic password crackers. The Lotus Notes client will need an ID file to do anything; If you don't have one, look around for it. Some clues: many times it's installed in the user box under the lotus installation folder. If you can penetrate a user desktop you can get one. If that user is the Lotus admin you could get to impersonate her/him. There could also be some in some shared folder, and there most probably are some in the server itself (try to exploit some W2K problem). Once you have it you'll also need the ID password. I only know of one tool to crack that ID files passwords, and it is commercial (ID Password Recovery). Do no change that password because if the server is configured to check it, it will complain when the real user next authenticates, alerting of your activities. Mind, Lotus Notes logs are nasty and mostly unhelpful in my experience (I really would thank anyone who could correct me by explaining how to use them effectively). You could be banging on the login for of the web client and not leaving any trace (at the logs). Once you have access to Lotus Notes with any user's ID, go and look for unprotected databases (be very carefull to only check access control in the properties of the database and not opening any if your assignment does not explicitly allow you). One database that everyone can read, is the Lotus Diccionary, named "names.nsf". That's a real piece of cake for you can not only find out who's who, but also give a look at all aspects of the Lotus Domino server configuration (I consider that a built-in vulnerability on the part of the product). Note that names.nsf could also be browsed from the web interface in most cases, even when the user has no access permision to any database through the web. Hope you found all this long reading helpful :-) -------------------------------------------- Hi, I'm doing an external blackbox PT on a mail server running Lotus Domino. The server OS is Windows 2000 and web server is Lotus Domino. It has following ports open: 80 - Lotus Domino httpd 443 - Lotus Domino httpd 1352 - Lotus Domino server 5631 - PCAnywhere During a manual assessment I discovered "admin4.nsf" on server, accessible without any sort of authentication. It is suppose to be the Administrator Request Database. From the name I suppose this should be something that shouldn't be visible to everyone. I don't have any experience in Lotus Domino. I read a couple of docs on Internet but couldn't get the real implication of such a vulnerability. I'm a little hesitant to perform any actions with the interface as it might disrupt some activities on the server and client might not like it. Is there anybody on the list who could guide me on the implication of this vulnerability and how to get a proper sense of it. What are the functionalities of 'admin4.nsf' and what damage could it do if an un-authenticated user has access to it. Looking forward to some enlightenment on this topic. Now I'm going to downlaod a Lotus client and see what I can do with the other open port "1352", looks like another hole from where I can find my way in. Thank you. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 07)
- RE: Vulnerability discovered on Lotus Domino server "admin4.nsf" Enrique A. Sanchez Montellano (Mar 07)
- Message not available
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 07)
- RE: Vulnerability discovered on Lotus Domino server "admin4.nsf" Enrique A. Sanchez Montellano (Mar 07)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 07)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" Alex Kloss (Mar 07)
- <Possible follow-ups>
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" jalvare7 (Mar 08)
- Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" 3 shool (Mar 09)
- Re: Re: Vulnerability discovered on Lotus Domino server "admin4.nsf" ron (Mar 28)