Re: Hacking Lotus Domino 5.0.5

From: Josh Daymont (joshd@midgard.net)
Date: 10/18/01 

Date: Wed, 17 Oct 2001 19:19:22 -0700 (PDT)
From: Josh Daymont <joshd@midgard.net>
To: <renato.ettisberger@ch.pwcglobal.com>
Subject: Re: Hacking Lotus Domino 5.0.5
Message-ID: <Pine.NEB.4.33.0110171918140.6833-100000@wonderlan.midgard.net>

Renato,

You should probably call Application Security Inc. (ASI). They are close
to releasing a beta-test version of a Lotus Domino Scanning/PenTesting
application that should provide all the functionality that you'll need.
This includes an account password brute forcing capability, backdoor
detection functionality and much more. ASI can be reached at (212)
490-6022 and or http://www.appsecinc.com/.

In case your engagement ends before ASI releases, here are a few things
you may want to try. This isn't an exhuastive list of things to do and is
just intended as a starter:

With the names.nsf database you should be able to brute force some of the
Domino accounts. Currently the only source for software like this that I
know of is ASI.

once you have brute forced some accounts...

First, can you gain access to an account that is permitted to use
webadmin.nsf? This database will allow you to do some interesting stuff,
including the ability to edit text files on the local filesystem. Just
access the database, click on the "Configuration" option, then the
"System Files" option, and then enter a file name, such as
"c:\winnt\win.ini."

Also, do you have access to the events database? If so you can create a
dummy monitor which will execute a system command when it triggers. Just
open up the events database and look under "Monitors."

Check out the unrestrited agent list in names.nsf. If you can access an
account in this list and can either create databases and or have designer
level access to an existing database then you are homefree. That assumes
that you either know LotusScript or Java.

Check the decsadmin.nsf database. This database will list any RDBMS
databases that Domino is accessing. Application Security Inc. (ASI) is
currently beta-testing an RDBMS PenTesting product for Oracle and other
databases that should allow you to gain access to just about any RDBMS by
providing just an IP address and or network block.

-Josh Daymont
joshd@midgard.net

On Mon, 15 Oct 2001 renato.ettisberger@ch.pwcglobal.com wrote:

> Hi
>
> I'm doing a pen test for a client. They have many systems in the dmz,
> including some nt/win2k boxes running IIS. Unfortunately, all IIS are
> patched :-(. But I found a vulnerable Domino 5.0.5 Server. I was able to
> download some nice files like names.nsf, the sam-file in winnt/repair and a
> admin.nsf with all user names and passwords. I think, that's a finding :-),
> but I want more.
> Is there a way to get a shell? I'm able to create files on the server or at
> least I can fill out a question form. Can I use this to create a file or
> execute a command (I don't think so, but maybe...)? Or does anybody know
> some other stuff, that I can do?
>
> As you can see, I'm not a pro in Lotus Domino.
>
> Thanks for your help
>
> regards
> Renato
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and delete the material from any
> computer.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • [NEWS] Lotus Domino View ACL Bypass
    ... Lotus Domino View ACL Bypass ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A Lotus Notes database contains documents that are organized into views. ... nor are they intended to protect the documents they ...
    (Securiteam)
  • Re: setting a password on a button on the switchboard
    ... Could you send me the sample database for the fourth option (4. ... > Security in an Access database can probably be broken down into two big ... > points about being easier than User Level Security, ... > What type of data are you trying to protect? ...
    (microsoft.public.access.forms)
  • Re: access 2003
    ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ...
    (microsoft.public.access.conversion)
  • Re: access 2003
    ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ...
    (microsoft.public.access.conversion)
  • Re: Is this possible??
    ... I understand Windows security but since I've not seen A2007 live, ... The backend is on the server in it's own file. ... database, but everyone does not need to have access to tblwage which is ...
    (microsoft.public.access.tablesdbdesign)