Re: Script for find domino's users

From: Chad Loder (chadat_private)
Date: Thu Jan 31 2002 - 16:56:36 PST

Next message: Tamer Sahin: "Sambar Webserver Sample Script v5.1 DoS Vulnerability Exploit"

Previous message: nobody: "Possible privilege escalation with NDS for NT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You should also turn off "Read Public Documents" and "Write Public
Documents" because these settings apply even when the ACL is
otherwise set to No Access.

In addition, the posted script will give false positives on
many Domino servers on which requests for sensitive databases
will automatically redirect to the Login page (with a "200 OK"
HTTP message).

There are literally hundreds of default databases installed
not only with the base Domino server but also with typical
add-on features like DOLS, SameTime, QuickPlace, and LEI. Many
of these have poor default ACLs.

Allow me to give a blatant plug for NeXpose, Rapid 7's security
scanning tool. It scans for over 170 Domino vulnerabilities
(including the misconfigured ACLs of the databases I mentioned,
buffer overflows, cross site scripting, etc.).

NeXpose also has a nice feature of automatically pulling all
the usernames and HTTP password hashes (in many cases) out of
the server's NAB, if it has the default ACLs.

You can download it from http://www.rapid7.com

Also, you'll want to get the Falling Dominos presentation that
Kevin McPeake and Chris Coggins have been giving at DEFCon.
Do a Google search for Falling Dominos and you should be able
to find it archived somewhere.

         Chad Loder
         Rapid 7, Inc.

At Thursday 1/31/2002 08:03 PM +0000, you wrote:

>This isn't a proof of concept, but more a probe for misconfigured database
>ACL's.
>
>If a Domino web server doesn't have a redirection URL for /mail/* mail
>files, then you rely on the access control for each mail file.
>
>Two things can be done to avoid this :
>
>1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
>       Anonymous - No access
>       [Default] - No access
>
>2 - Within the Server Document for each server, ensure that "Allow HTTP
>clients to browse databases:" is set to "No"
>
>I believe that all versions of Domino server from 4.5 upwards are
>suceptible to badly configured ACL's. Any good administrator would have a
>hold of this already.
>
>
>
>#!/usr/local/bin/php -q
><?
>
><snip>
>
></snip>
>
>fclose ($fd);
>
>?>

______________________________________
Chad Loder <chadat_private>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>

Next message: Tamer Sahin: "Sambar Webserver Sample Script v5.1 DoS Vulnerability Exploit"
Previous message: nobody: "Possible privilege escalation with NDS for NT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 17:51:24 PST