Getting Further with Lotus Domino Password Disclosure
August 15th, 2005 by noam, Filed under: Commentary, Full Disclosure
We recently reported a Lotus Domino vulnerability: Default Configuration Information Disclosure in Lotus Domino (Including Password Hashes). This vulnerability on its surface looks pretty harmless, but a quick investigation uncovers just how dangerous this vulnerability really is.
The advisory discusses the possibility of a Lotus Domino users’ hashed passwords being retrieved by an unauthenticated/unprivileged user where the attacker simply accesses the Lotus Domino’s “Public Address Book”. This address book not only contains the list of all users with their phone number, email, pager 
, department code, room number, etc but also their password.
The password can’t be seen unless you view the source of the page and capture the value found after the HTTPPassword variable, for example <input name=”HTTPPassword” type=”hidden” value=”(…)”>. The hashed value (Rc4) can then be broken by using the patch for John the Ripper provided at http://www.cr0.net:8040/misc/john-1.6.37-bigpatch-11.diff.gz and specifying to John that you are interested in breaking Lotus5 hashes.
The brute forcing mechanism is pretty quick, on an Intel Pentium 4 with a 2.80GHz CPU John will try around 150,000 c/s.
Using Google I was able to locate a few vulnerable sites, and crack their users password in a few seconds (some were very simple passwords: password - passpass - enter - default - 123456), demonstrating that this vulnerability is a very serious one.
-
Is your site safe from SQL Injection? Use Active Network Scanning to protect your network!
Subscribe
Subscribe
Your initial notice about this venerability is slightly incorrect.
I.e. This is inaccurate: “Furthermore, the algorithm used by Lotus Domino to hash the password doesn’t use a salt”
The correct statement is “Furthermore, the default algorithm used by Lotus Domino to hash the password doesn’t use a salt”.”
The option for using a salted hash has been available since Domino version 4.6 — seven years ago. It was not made the default due to concerns about interoperability with older server versions, and that’s clearly something that should have been revisited long before now.
But let’s be clear. Are you claiming that the sites you found and cracked were using the unsalted hash? Or are you claiming that even with the salted hash option in place, you are able to quickly do a brute force attack? If it’s the latter, then the vulnerability is far worse than I (and other knowledgeable Domino users and consultants) had assumed.
Author: I claimed they were using unsalted hashes, I have not tried cracking any salted hashes, or at least I haven’t noticed them (once I fed them to John) as being solted and uncrackable.
-rhs
Thanks for clarifying that.
Since I know Lotus Notes as a security auditor I’ve found that the address book that is in the center of the product’s architecture goes against many basic security requirements as current general criteria goes.
The mere capacity of any user to dump every detail of every user, and the full configuration of every server is a mayor vulnerability if I apply what is usually defined as such in advisories that are nowadays published on other products.
In any other product it wouldn’t matter if there is a salt in the hashed pwds, the fact that they can be dumped by any authenticated user and without trace of that fact as an anomalous event would be asking for an advisory which I haven’t been able to find yet.
I totally agree with you Juan, I wish others would agree too… people are still arguing whether it is a vulnerability as the passwords are solted, my take is that the dump itself is the vulnerability.
It is not just that you can browse the address book and see all of the details about anyone. Using LDAP, you can dump all of NAB at once, and I have seen too many domino servers that allow anonymous ldap access.