Re: Lotus Notes

From: Chad Loder <cloder(at)loder.us>
Date: Wed Nov 27 2002 - 14:03:38 EST

Hi. There are hundreds of default Lotus Notes databases to check for. Some of them are potentially very damaging, depending on what version of Domino they are running. Keep in mind that Lotus Domino has a few dozen default databases, and then factor in all the databases that come with Lotus add-ons like SameTime, DECS, etc.

The catalog.nsf database obviously gives you a list of other databases that you can then look at. Keep in mind that the catalog is not guaranteed to be up-to-date -- in other words, there may be databases on the server which are NOT listed in the catalog for one reason or another.

Another interesting database is the Name & Address book (typically /names.nsf, although you can get the real location out of the catalog database). The names.nsf database contains all sorts of detailed information about usernames, remote servers, etc. which should NEVER be made public.

Depending on the version of Domino is running, you can try accessing the hidden $Users view of the Name & Address book. This view contains the unsalted HTTP password hashes of all the users. It's very easy to launch a dictionary attack against these hashes and thereby further compromise the system. You would typically look for http://victimhost/names.nsf/$Users

David Litchfield has discovered some nice vulnerabilities, including one that lets you access the web administration template over the web, which then lets you get a full database listing and/or read any text files off the server. You can then exploit this to read the NOTES.INI file, which contains all sorts of fun information, and may give you enough information to get the server.id file or the Administrator ID file, which you could then crack (or you might not have to crack it, considering Lotus recommends that you don't use a password on your server ID file). This would let you connect back to the system as itself, using the native NotesRPC protocol (port 1352) from a Notes client.

In my pen testing, I haven't EVER found a Notes server that couldn't be owned by someone who knows what he's doing (me, hehe). I've only talked about port 80 here -- there are plenty of other Lotus Notes vulnerabilities on SMTP, POP3, DIIOP, etc.

Lotus Notes, in general, requires a lot of work to secure. The way they release patches is a pain in the ass (they don't have cumulative patches between releases, which means you have to download and run a dozen incremental installers in a row). Their default database permissions are insecure, although they have been getting better in this regard (R6 has decent permissions, R5 and R4 are basically wide open out of the box).

<BLATANT PLUG>
There are tons of other databases to look for. You can use them to crack passwords, to learn about other servers in their Notes domain, learn about who they are replicating with and how, etc. There are plenty of other non-database related Notes vulnerabilities to look for as well.

You may want to try our NeXpose security scanner, which scans for all known Lotus Notes vulnerabilities, up to and including R6 (and in particular, it scans for tons of default databases and not only tells you what access you have, but what that database is used for and what the implications of it being open are). You can download an eval version from http://www.rapid7.com </BLATANT PLUG>

Have fun,

	Chad Loder
	Rapid 7, Inc.
	
http://www.rapid7.com

On Wed, Nov 27, 2002 at 01:28:07AM -0500, svetsanj@hotmail.com wrote:
>
>
>
>
> We are doing a penetration testing for a client who has lotus notes. We

---

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Wed Nov 27 17:02:43 2002