Monday, November 28, 2005

Hacking Domino

For the last three years I've been sitting on a draft article, with the working title Domino Security by Obscurity, which I've always been in two minds about publishing. The methods it talks about display a considerable security flaw in Domino. Well, at least in the way applications are developed. Domino is, as we all know, as secure as you make it. From what I can tell though, the methods no longer works with Domino 6 and I feel safer talking about it now.
All design elements and documents in a Notes database are assigned a hex NoteID. The assignment of these IDs follows a pattern. Knowing this pattern we could access documents by guessing the URLs to them.
The first view in a database takes hex NoteID of 116 (278 in normal numbers). Each view added after that is 4 greater and so follows a pattern like 120, 12d, 122, 126 etc. Like so:
Documents start at a hex value of 8F6 (2294 in normal numbers) and also follow the same pattern. With this knowledge we could try and access the first document in the first view like this:
http://server/database.nsf/116/8F6The code tries to access ?OpenView URLs for the first 200 views in the pattern. If the URL returns a non-error code then the view exists and it gets logged. The code then returns the browser a set of links to try accessing the views it found. The links calls the servlet again, this time with a parameter that tells the servlet which view to try. With this view the code guesses URLs for the first 2000 documents it might contain. Any that exist are returned as links to the browser. Clicking the links returned can give you access to documents you had no other way of getting at.
So what? Well, imagine you've secured an application by hiding a view and thinking that prevents access to its documents. This is the obscuring bit, of which security plays no part.
The guy who first told me about this suggested I kept it under wraps. Although I never tried it on any public web server, he claimed to have gotten access to highly sensitive information from a couple of high profile financial companies. The main reason I didn't ever hand out the code I wrote is that I was scared about people testing it on this server. Repeated requests for URLs that cause errors will crash Domino.
I had all but forgotten about this code until I happened upon a Sourceforge project the other day called "Domino Hunter".
DominoHunter is an open-source security tool that is able to scan and detect structure vulnerabilities in Domino Web servers.
This Perl script takes the whole thing a little further and guesses actual file names of known databases, before going on to guess at view and documents IDs. Scary.
Does anybody know if this really has gone away in Domino 6?
Finally, please, please, please don't point either of the scripts at this server.
By Sir Jake Howlett