BF and IA vulnerabilities in IBM Lotus Domino

简介: Hello list! I want to warn you about Brute Force and Insufficient Authentication vulnerabilities in IBM Lotus Domino.
Hello list!

I want to warn you about Brute Force and Insufficient Authentication
vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino,
which I've found at 03.05.2012 together with other holes.

Last year I've announced multiple vulnerabilities in IBM software and after
IBM fixed many of them, I've disclosed them. They fixed almost all
vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes
Traveler), which I've informed them in May and December, and concerning
other holes they always told, that they were working on them. After IBM
released Domino 9.0 last month and still not answered concerning these
vulnerabilities, I've reminded IBM and they answered, that they would not be
fixing them.

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions.
These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in
August 2012), nor in Domino 9.0 (released in Match 2013).

As recently IBM told me, almost after a year since my informing about these
vulnerabilities, they didn't fixed them, as they didn't see a need in it.
Because, according to them, there are built-in mechanisms in Domino for
protecting against BF and IA, so these holes are not a problem of the
application (but a problem of specific web sites). I.e. they meant, that
owners of web sites with Lotus Domino need to better configure it for
protection against these attacks.

-------------------------
Affected vendors:
-------------------------

IBM Domino (formerly IBM Lotus Domino)
http://www-03.ibm.com/software/products/us/en/ibmdomino/

----------
Details:
----------

Brute Force (WASC-11):

These pages, which require authentication, have no protection against Brute
Force attacks:

http://site/names.nsf
http://site/admin4.nsf
http://site/busytime.nsf
http://site/catalog.nsf
http://site/certsrv.nsf
http://site/domlog.nsf
http://site/events4.nsf
http://site/log.nsf
http://site/statrep.nsf
http://site/webadmin.nsf
http://site/web/war.nsf

There are two variants of login form: Basic Authentication (I found it
during pentest already in 2008) and form-based authentication (I found it
during pentest in 2012, alongside with the first variant). In both cases
there is no protection against Brute Force.

Insufficient Authentication (WASC-01):

Unprivileged user (with any account at the site, access to which can be
received via Brute Force vulnerability) has access to the next pages:

https://site/names.nsf - leakage of information about all users (names,
surnames, logins, e-mails and other personal information and settings)

https://site/admin4.nsf - leakage of information about administration
requests, including personal information (names, surnames, logins, etc.)

https://site/catalog.nsf - leakage of important information about files at
the server, about installed applications and their settings (Application
Catalog), including personal information (names, surnames, logins, etc.)

https://site/events4.nsf - leakage of information about events (Monitoring
Configuration)

After receiving access to names.nsf, it's possible to use Information
Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting
password hashes) and which is still not fixed. IBM hasn't fixed it in
default configuration, but only recommended to remove hash field from
profiles or to use salted hashes. My client has used exactly Lotus salted
hashes and it hasn't helped (99% of hashes were picked up, including admin's
one).

------------
Timeline:
------------ 

Full timeline read in the first advisory
(
http://securityvulns.ru/docs28474.html ).

- During 16.05-20.05.2012 I've wrote announcements about multiple
vulnerabilities in IBM software at my site.
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM
site.
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they
received and said they would send them to the developers (of Lotus
products).
- At 18.08.2012 I've reminded IBM about these holes and gave enough
arguments to fix them.
- At 14.04.2013 I've again remind IBM about these holes.
- At 23.04.2013 IBM answered that they would not fix these holes.
- At 26.04.2013 I've disclosed these vulnerabilities at my site
(
http://websecurity.com.ua/5829/ ).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
目录
相关文章
|
JavaScript
IBM Lotus Domino Designer 下载安装记录
对 IBM Bluemix 上的 Cloud Foundry 应用程序都进行了试用学习,但唯独对 Xpages 应用程序还是一无所知,所以趋周末时间学习了解一下。而要学习使用XPages,貌似就必须使用 IBM Lotus Domino Designer。
1604 0
|
Web App开发 前端开发 JavaScript
HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino
I want to warn you about HTTP Response Splitting and Cross-Site Scripting vulnerabilities in IBM Lotus Domino.
1033 0
|
移动开发 Windows 数据格式
IBM Lotus Domino Authentication Bypass
  # Exploit Title: IBM Lotus Domino Controller auth.
1060 0
|
开发工具
IBM Watson提供的认知计算服务介绍
IBM Watson提供的认知计算服务介绍
|
传感器 人工智能 自然语言处理
IBM Watson 持续扩张,认知计算正悄然改变我们的生活
在去年 IBM 发布的一则很有创意的广告中,Watson 用 IBM 最新的认知计算机咨询单元与 Bob Dylan 聊了半分钟。Watson 说它每秒能读 8 亿页,并识别出 Dylan 作品中常用的主题,比如时间流逝和爱情消逝。
381 0
|
物联网 区块链 网络架构
带你读《基于区块链的物联网项目开发》之一:了解物联网并在IBM Watson物联网平台上开发
本书首先概述当前业务场景中的物联网概念,帮助读者在IBM Watson物联网平台上开发自己的设备,并使用Watson和Intel Edison创建物联网解决方案。之后介绍如何利用Hyperledger框架开发区块链网络,以及如何创建自己的集成区块链和物联网解决方案。接下来的章节讲述了如何在IBM Cloud平台利用物联网来实现端到端的区块链解决方案。最后,你将掌握如何将物联网和区块链技术融合,利用实践和驱动程序来开发实用集成解决方案。
|
人工智能
IBM Watson被曝给出错误癌症治疗建议,是悲剧还是误会?丨科技云·视角
曾经是公众心目中“人工智能”代名词的IBM Watson,在近4年砸下几百亿美元的研发投入后,前景反而愈发暗淡。医生抱怨Watson给出错误判断,多家医院终止了与Watson肿瘤相关项目,Watson真的能治病吗? 近日,外媒Stat News爆出了IBM的一份内部文件,其中提及Watson计算机经常给出错误的癌症治疗建议,比如给一个已经大出血的癌症病人开了有可能会导致出血的药。
9399 0
|
人工智能
IBM Watson健康部门裁员:花重金收购的医疗科技公司成重灾区
消息人士称,IBM Watson Health正在裁员50%至70%,之前收购的三家医疗科技公司的员工成为这次裁员的重灾区。同时,AI医疗行业数据不完整、隐私等问题,以及巨头之间的竞争,都给IBM Watson Health造成了压力。
1709 0