| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Apr 2013 20:44:23 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: BF and IA vulnerabilities in IBM Lotus Domino Hello list! I want to warn you about Brute Force and Insufficient Authentication vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino, which I've found at 03.05.2012 together with other holes. Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. They fixed almost all vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes Traveler), which I've informed them in May and December, and concerning other holes they always told, that they were working on them. After IBM released Domino 9.0 last month and still not answered concerning these vulnerabilities, I've reminded IBM and they answered, that they would not be fixing them. ------------------------- Affected products: ------------------------- Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions. These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in August 2012), nor in Domino 9.0 (released in Match 2013). As recently IBM told me, almost after a year since my informing about these vulnerabilities, they didn't fixed them, as they didn't see a need in it. Because, according to them, there are built-in mechanisms in Domino for protecting against BF and IA, so these holes are not a problem of the application (but a problem of specific web sites). I.e. they meant, that owners of web sites with Lotus Domino need to better configure it for protection against these attacks. ------------------------- Affected vendors: ------------------------- IBM Domino (formerly IBM Lotus Domino) http://www-03.ibm.com/software/products/us/en/ibmdomino/ ---------- Details: ---------- Brute Force (WASC-11): These pages, which require authentication, have no protection against Brute Force attacks: http://site/names.nsf http://site/admin4.nsf http://site/busytime.nsf http://site/catalog.nsf http://site/certsrv.nsf http://site/domlog.nsf http://site/events4.nsf http://site/log.nsf http://site/statrep.nsf http://site/webadmin.nsf http://site/web/war.nsf There are two variants of login form: Basic Authentication (I found it during pentest already in 2008) and form-based authentication (I found it during pentest in 2012, alongside with the first variant). In both cases there is no protection against Brute Force. Insufficient Authentication (WASC-01): Unprivileged user (with any account at the site, access to which can be received via Brute Force vulnerability) has access to the next pages: https://site/names.nsf - leakage of information about all users (names, surnames, logins, e-mails and other personal information and settings) https://site/admin4.nsf - leakage of information about administration requests, including personal information (names, surnames, logins, etc.) https://site/catalog.nsf - leakage of important information about files at the server, about installed applications and their settings (Application Catalog), including personal information (names, surnames, logins, etc.) https://site/events4.nsf - leakage of information about events (Monitoring Configuration) After receiving access to names.nsf, it's possible to use Information Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting password hashes) and which is still not fixed. IBM hasn't fixed it in default configuration, but only recommended to remove hash field from profiles or to use salted hashes. My client has used exactly Lotus salted hashes and it hasn't helped (99% of hashes were picked up, including admin's one). ------------ Timeline: ------------ Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html). - During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site. - During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site. - At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products). - At 18.08.2012 I've reminded IBM about these holes and gave enough arguments to fix them. - At 14.04.2013 I've again remind IBM about these holes. - At 23.04.2013 IBM answered that they would not fix these holes. - At 26.04.2013 I've disclosed these vulnerabilities at my site (http://websecurity.com.ua/5829/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists