While most of the points this presentation raises are correct, there are a few gotchas: No password server.id files: Yes, this is normal. You are expected to keep these files secure. Do not grant file system access to the server to non-admins. (as an aside, you can corrupt databases by allowing network file system access on a running server anyway). database.nsf?$DefaultNav?OpenNavigator See also $DefaultForm?OpenForm, $DefaultView?OpenView. HTTP password is visible. The *hashed* password is visible to notes client users. The default behaviour is to use a slightly less secure hash which is vunerable to dictionary attacks. They may be upgraded to a salted hash. ID files in the address book This is a setting and isn't nessessarily the default HTTP password = ID password. That's just hoey and is not correct. It is not uncommon for users/admins to make this happen but it doesn't happen out of the box. This is just a "What, I need *another* password?" issue. Stored Forms <<Explained in detail>> Yes exactly, go pick up a book on Domino development. The key here is to create a database with a form, embed whatever mal-code you wish, set the form to 'stored' and then have the form mail itself to users. This is where the ECL protects you from untrusted users. I would also add the additional point that notes RPC traffic is not encrypted by default. While you won't be able to get someone's id file or password by sniffing you can get document contents. Also, while the RPC hasn't been reverse engineered (to my knowledge) it still may be in the future. There are probably one or two holes in that. Lastly, I'm not sure whether Lotus has deemed it a bug or not but using the API call NSFDbReadObject you can extract file attachments regardless of document security. See recent bugtraq traffic on Notes for more info. Joshua b. Jore "Enno Rey" <erey@security-academy.de> 10/09/01 02:28 PM To: "Johann van Duyn" <Johann_van_Duynat_private>, <pen-testat_private> cc: Subject: RE: Pen-Testing Lotus Notes/Domino Hi, take a look at http://www.blackhat.com/presentations/bh-europe-00/TrustFactory/Trustfactory .ppt Lots of valuable info for a pentest or audit in it... Regards, Enno Rey -----Original Message----- From: Johann van Duyn [mailto:Johann_van_Duynat_private] Sent: Dienstag, 9. Oktober 2001 11:55 To: pen-testat_private Subject: Pen-Testing Lotus Notes/Domino Hi there... I am about to do a security audit (of the semi-pen-test variety) on a network with Lotus Domino and Notes R5 running on it. I am a bit out of my depth regarding Domino and Notes, being a bit of an Exchange fan myself. Can anyone give me a few pointers and possible gotchas that could benefit me (and, ultimately, the company I'm working for) in this? Much appreciated. :-) Johann Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient,please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:44:08 PDT