Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CYBSEC - Security Advisory: Default Configuration Information Disclosure

from [Leandro Meiners] Network Security [Permanent Link]
Subject: CYBSEC - Security Advisory: Default Configuration Information Disclosure in Lotus Domino
Date: Tue, 26 Jul 2005 15:36:29 -0300 
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
 )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Default Configuration Information Disclosure in Lotus
Domino (Including password hashes)

Vulnerability Class: Default Configuration/Information Disclosure

Release Date: 07/26/2005

Affected Applications:  
* Lotus Domino R5 WebMail 
* Lotus Domino R6 WebMail
* Lotus Domino R4 wasn't audited.

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: High

Author:  Leandro Meiners.

Vendor Status:  
* Configuration fix supplied by vendor.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Overview:
=========

IBM Lotus Domino is an integrated collaborative environment, which
allows messaging, calendaring and scheduling capabilities. IBM Lotus
Domino WebMail is one of the client components for accessing Lotus
Domino messaging capabilities, which provides a Web interface to Lotus
Domino.

Vulnerability Description:
==========================

The main directory database for Lotus Domino, names.nsf, defined as the
Public Address Book is by default readable by all users. Therefore, all
users are allowed to view a person's entry. 

When any unprivileged user views a person's entry there is a field
called "Internet Password" that is blank, meaning that the user can't
view the password hash. However, if the Web page is edited ("view page
source" in Internet Explorer) there is a hidden field called
"HTTPPassword" which contains the password hash.

The same problem applies to all other fields that appear as blank; if
they have a valued defined then that value is stored in a hidden field. 

Other critical information can be retrieved (under Release 6), such as:

* The change date of the password (field "HTTPPasswordChangeDate")
* The client's platform (field "ClntPltfrm")
* The client's machine name (field "ClntMachine")
* The client's Lotus Domino release (field "ClntBld")

Exploit:
========

No exploit required. Nevertheless, it is appropriate to mention that
there are Lotus Domino password crackers such as Domino Hash Breaker
(tested on Lotus Domino R5 and R6 with the appropriate DLL), available
at http://www.securiteinfo.com/outils/DominoHashBreaker.shtml. 

Furthermore, the algorithm used by Lotus Domino to hash the password
doesn't use a salt, meaning that the string
"355E98E7C7B59BD810ED845AD0FD2FC4" is always the hash for the string
"password". This allows passwords to be pre-computed in order to
construct a hash database of common passwords or even all six to eight
digit character combinations, minimizing the time needed to crack a
password.

Solutions:
==========

IBM's solution to the problem:

To hide the HTTP password from the HTML source: 

1) Open the $PersonalInheritableSchema subform (In the designer under
Shared Code, Subforms).
2) Find the fields: $dspHTTPPassword and HTTPPassword.
3) In the field properties for both fields, on the hide tab under "Hide
paragram from" check off "Web browsers".
4) Open the Person form (Under Forms).
5) In the form properties, on the 2nd tab, disable the option "Generate
HTML for all fields".

We found step five to be sufficient to hide all the above mentioned
fields.

Vendor Response:
================

04/22/2005: Initial Vendor Contact
05/09/2005: Vendor response stating that they couldn't find a way to
remove the hidden fields.
06/02/2005: Vendor opens a new case regarding the vulnerability.
06/28/2005: Vendor response with a configuration to fix the
vulnerability.

Thanks:
=======

Special thanks goes to Claudia Iaconis, Adrian Saucedo and Tadeo Cwierz.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CYBSEC - Security Advisory: Default Configuration Information Disclosure in Lotus Domino, Leandro Meiners <=
Previous by Date:  3Com launches vulnerability-buying program, Ghaith Nasrawi
Next by Date:  [Full-disclosure] [ GLSA 200507-25 ] Clam AntiVirus: Integer overflows, Sune Kloppenborg Jeppesen
Previous by Thread:  3Com launches vulnerability-buying program, Ghaith Nasrawi
Next by Thread:  [Full-disclosure] [ GLSA 200507-25 ] Clam AntiVirus: Integer overflows, Sune Kloppenborg Jeppesen
Indexes:  [Date] [Thread] [Top] [All Lists]