I’ve also created a number of scripts which can be suitable when pen testing Lotus Domino. These scripts include support for collecting Internet password hashes and user ID files. ID files can be collected both as an authenticated user from the person web view or unauthenticated using the vulnerability CVE-2006-5835. Oh, and you can add Lotus Domino 8.5 to the list of vulnerable versions in that advisory. There are also two scripts that allow you to interact with the IBM Lotus Domino remote console. One script allows for password guessing, while the other one allows you to interact with the console ones your authenticated.

There’s a tiny script in the zip file that supports querying for registered objects in a ORB Naming Service using the GIOP protocol.

Last but not least I’ve created a framework for other password guessing scripts to use. The framework runs using multiple worker threads and does all the looping, iteration and other basic logic used by most of my previous brute scripts.

The zip file included in the nmap-dev post can be downloaded from here. Please help me out testing the scripts so that they can be added to the subversion version of nmap!

It’s available for download from the rdesktop page.

By default, when enabling AFP, the Public folder in each user’s home directory is shared as <Usernames> Public Folder. In my case “Patrik Karlsson’s Public Folder”. Since the Public folder is a subdirectory of a user’s home directory, exploiting this share provides access to all of that user’s home directory files (but not subdirectories or files with restrictive filesystem permissions).

As the name suggests, the Public shares are available to anyone without authentication. Given the default permissions on home directories (world read+execute) and the default umask (world read), this has a serious impact – as unauthenticated users can read all files in a user’s home directory. The attack also works for authenticated users against shares requiring authentication.

Technically the attack is not very challenging and relies on a classic directory traversal attack. It is strikingly similar to the famous Windows SMB filesharing vulnerability from 1995. However, sending such a path to the server without interpreting and translating it on the client is somewhat more challenging. I’ve developed a number of different scripts while researching the vulnerability that list, read and write files in the parent directory. In order to do so I’ve added the necessary code to the AFP library which is essentially the core of these NSE scripts.

At this time I’m releasing two scripts afp-path-vuln, afp-brute and library. The vulnerability detection script attempts to determine whether the scanned servers are vulnerable or not and outputs the contents of the parent directory if they are. The script and library are as of now available from the latest subversion version of Nmap and can also be downloaded here:

http://nmap.org/svn/scripts/afp-path-vuln.nse
http://nmap.org/svn/scripts/afp-brute.nse
http://nmap.org/svn/nselib/afp.lua

You can run the scripts either from your current version of Nmap or from the current subversion release. If you want to run the script with user credentials it needs the subversion release of Nmap as adding the support for AFP authentication involved patching the LUA to OpenSSL API.

For documentation on how to add scripts to your current Nmap installation have a look at Ron Bowes blog post “How-to: install an Nmap script” over here. The afp.lua library should be copied to the nselib directory which is located in the same parent directory as the scripts directory described in the blog post.

Last, but not least, here is the syntax for running the scripts against a system or network to detect vulnerable hosts:

nmap -p 548 --script afp-path-vuln <host or network>

If the server is vulnerable it will show the following output:

PORT    STATE SERVICE
548/tcp open  afp
| afp-path-vuln:
|   Patrik’s Public Folder/../ (5 first items)
|     .bash_history
|     .bash_profile
|     .CFUserTextEncoding
|     .config/
|     .crash_report_checksum
|
|_AFP path traversal (CVE-2010-0533): VULNERABLE

Solution
Apple has released Mac OS X 10.6.3 which addresses the vulnerability. It can be downloaded from here:
http://support.apple.com/kb/HT1222

Credits
Thanks to Fyodor and David Fifield for great suggestions, moral support, and review of the code.

Timeline
2010-02-10 – Security vulnerability disclosed to Apple together with PoC
2010-02-10 – Apple responds and have been able to reproduce vulnerability
2010-02-15 – Request of status update
2010-02-18 – Request of status update
2010-02-22 – Request of status update
2010-02-22 – Apple responds with DRAFT advisory and timing for disclosure (week starting 02/28)
2010-03-06 – Disclosure date overdue, request for status update
2010-03-08 – Apple responds with a new date for disclosure (week starting 03/15)
2010-03-17 – Request status update
2010-03-17 – Apple responds with a new date for disclosure (week starting 03/23)
2010-03-17 – Apple corrects the disclosure date to the 29th of March

- Penetration- and Application-security testing
- Application & System security reviews
- Incident response and IT-forensics
- Security training

If your interested or have any questions contact me directly or send an e-mail to jobs[at]inspectit[dot]se

• snmp-netstat shows listening and connected sockets
• snmp-processes shows process information including name, pid, path and parameters
• snmp-win32-services shows the names of running Windows services
• snmp-win32-shares shows the names and path of Windows shares
• snmp-win32-software shows a list of installed Windows software
• snmp-win32-users shows a list of local Windows users

Make sure to check them out over at insecure.org. In order to use them you need to check out the development sources from subversion. More info on that over here.

I’ve also added two more scripts that make use of the library nfs-get-stats and nfs-get-dirlist. The first retrieves disk usage for each export and the second lists files on a share. They’re both available from the nmap-scripts page as usual.

While messing around with the library I also cleaned up the code for mysql-brute and mysql-empty-password. All of the scripts that query the database obviously require credentials to do so. These can be provided on the command line using script arguments mysqluser and mysqlpassword or by running the mysql-brute or mysql-empty-password on the same time. There are dependencies set up so that the query scripts wait until these two scripts have collected the credentials. Here’s some sample output from the scripts …

Starting Nmap 5.20 ( http://nmap.org ) at 2010-01-23 22:46 CET
NSE: Starting runlevel 2 (of 2) scan.
NSE: Script Scanning completed.
Nmap scan report for bubba (1.2.3.4)
Host is up (0.0044s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-empty-password:
|_  root account has empty password
| mysql-brute:
|   root:<empty> => Login Correct
|_  test:test => Login Correct
| mysql-list-users:
|   test
|   root
|   test2
|   album
|   debian-sys-maint
|   horde
|   mediatomb
|_  squeezecenter
| mysql-list-databases:
|   information_schema
|   mysql
|   horde
|   album
|   mediatomb
|_  squeezecenter
| mysql-show-variables:
|   auto_increment_increment: 1
|   auto_increment_offset: 1
|   automatic_sp_privileges: ON
|   back_log: 50
|   basedir: /usr/
|   binlog_cache_size: 32768
|   bulk_insert_buffer_size: 8388608
|   character_set_client: latin1
|   character_set_connection: latin1
|   character_set_database: latin1
|   character_set_filesystem: binary
|   character_set_results: latin1
|   character_set_server: latin1
|   character_set_system: utf8
|   character_sets_dir: /usr/share/mysql/charsets/
|   collation_connection: latin1_swedish_ci
|   collation_database: latin1_swedish_ci
|   collation_server: latin1_swedish_ci
|   completion_type: 0
|   concurrent_insert: 1
|   connect_timeout: 5
|   datadir: /var/lib/mysql/
|   date_format: %Y-%m-%d
|   datetime_format: %Y-%m-%d %H:%i:%s
|   default_week_format: 0
|   delay_key_write: ON
|   delayed_insert_limit: 100
|   delayed_insert_timeout: 300
|   delayed_queue_size: 1000
|   div_precision_increment: 4
|   keep_files_on_create: OFF
|   engine_condition_pushdown: OFF
|   expire_logs_days: 10
|   flush: OFF
|   flush_time: 0
|   ft_boolean_syntax: + -><()~*:”"&|
|   ft_max_word_len: 84
|   ft_min_word_len: 4
|   ft_query_expansion_limit: 20
|   ft_stopword_file: (built-in)
|   group_concat_max_len: 1024
|   have_archive: YES
|   have_bdb: NO
|   have_blackhole_engine: YES
|   have_compress: YES
|   have_crypt: YES
|   have_csv: YES
|   have_dynamic_loading: YES
|   have_example_engine: NO
|   have_federated_engine: YES
|   have_geometry: YES
|   have_innodb: DISABLED
|   have_isam: NO
|   have_merge_engine: YES
|   have_ndbcluster: DISABLED
|   have_openssl: DISABLED
|   have_ssl: DISABLED
|   have_query_cache: YES
|   have_raid: NO
|   have_rtree_keys: YES
|   have_symlink: YES
|   hostname: bubba
|   init_connect:
|   init_file:
|   init_slave:
|   innodb_additional_mem_pool_size: 1048576
|   innodb_autoextend_increment: 8
|   innodb_buffer_pool_awe_mem_mb: 0
|   innodb_buffer_pool_size: 8388608
|   innodb_checksums: ON
|   innodb_commit_concurrency: 0
|   innodb_concurrency_tickets: 500
|   innodb_data_file_path:
|   innodb_data_home_dir:
|   innodb_doublewrite: ON
|   innodb_fast_shutdown: 1
|   innodb_file_io_threads: 4
|   innodb_file_per_table: OFF
|   innodb_flush_log_at_trx_commit: 1
|   innodb_flush_method:
|   innodb_force_recovery: 0
|   innodb_lock_wait_timeout: 50
|   innodb_locks_unsafe_for_binlog: OFF
|   innodb_log_arch_dir:
|   innodb_log_archive: OFF
|   innodb_log_buffer_size: 1048576
|   innodb_log_file_size: 5242880
|   innodb_log_files_in_group: 2
|   innodb_log_group_home_dir:
|   innodb_max_dirty_pages_pct: 90
|   innodb_max_purge_lag: 0
|   innodb_mirrored_log_groups: 1
|   innodb_open_files: 300
|   innodb_rollback_on_timeout: OFF
|   innodb_support_xa: ON
|   innodb_sync_spin_loops: 20
|   innodb_table_locks: ON
|   innodb_thread_concurrency: 8
|   innodb_thread_sleep_delay: 10000
|   interactive_timeout: 28800
|   join_buffer_size: 131072
|   key_buffer_size: 16777216
|   key_cache_age_threshold: 300
|   key_cache_block_size: 1024
|   key_cache_division_limit: 100
|   language: /usr/share/mysql/english/
|   large_files_support: ON
|   large_page_size: 0
|   large_pages: OFF
|   lc_time_names: en_US
|   license: GPL
|   local_infile: ON
|   locked_in_memory: OFF
|   log: OFF
|   log_bin: OFF
|   log_bin_trust_function_creators: OFF
|   log_error:
|   log_queries_not_using_indexes: OFF
|   log_slave_updates: OFF
|   log_slow_queries: OFF
|   log_warnings: 1
|   long_query_time: 10
|   low_priority_updates: OFF
|   lower_case_file_system: OFF
|   lower_case_table_names: 0
|   max_allowed_packet: 16776192
|   max_binlog_cache_size: 4294967295
|   max_binlog_size: 104857600
|   max_connect_errors: 10
|   max_connections: 100
|   max_delayed_threads: 20
|   max_error_count: 64
|   max_heap_table_size: 16777216
|   max_insert_delayed_threads: 20
|   max_join_size: 18446744073709551615
|   max_length_for_sort_data: 1024
|   max_prepared_stmt_count: 16382
|   max_relay_log_size: 0
|   max_seeks_for_key: 4294967295
|   max_sort_length: 1024
|   max_sp_recursion_depth: 0
|   max_tmp_tables: 32
|   max_user_connections: 0
|   max_write_lock_count: 4294967295
|   multi_range_count: 256
|   myisam_data_pointer_size: 6
|   myisam_max_sort_file_size: 2147483647
|   myisam_recover_options: BACKUP
|   myisam_repair_threads: 1
|   myisam_sort_buffer_size: 8388608
|   myisam_stats_method: nulls_unequal
|   ndb_autoincrement_prefetch_sz: 32
|   ndb_force_send: ON
|   ndb_use_exact_count: ON
|   ndb_use_transactions: ON
|   ndb_cache_check_time: 0
|   ndb_connectstring:
|   net_buffer_length: 16384
|   net_read_timeout: 30
|   net_retry_count: 10
|   net_write_timeout: 60
|   new: OFF
|   old_passwords: OFF
|   open_files_limit: 1024
|   optimizer_prune_level: 1
|   optimizer_search_depth: 62
|   pid_file: /var/run/mysqld/mysqld.pid
|   port: 3306
|   preload_buffer_size: 32768
|   profiling: OFF
|   profiling_history_size: 15
|   protocol_version: 10
|   query_alloc_block_size: 8192
|   query_cache_limit: 1048576
|   query_cache_min_res_unit: 4096
|   query_cache_size: 16777216
|   query_cache_type: ON
|   query_cache_wlock_invalidate: OFF
|   query_prealloc_size: 8192
|   range_alloc_block_size: 2048
|   read_buffer_size: 131072
|   read_only: OFF
|   read_rnd_buffer_size: 262144
|   relay_log_purge: ON
|   relay_log_space_limit: 0
|   rpl_recovery_rank: 0
|   secure_auth: OFF
|   secure_file_priv:
|   server_id: 0
|   skip_external_locking: ON
|   skip_networking: OFF
|   skip_show_database: OFF
|   slave_compressed_protocol: OFF
|   slave_load_tmpdir: /tmp/
|   slave_net_timeout: 3600
|   slave_skip_errors: OFF
|   slave_transaction_retries: 10
|   slow_launch_time: 2
|   socket: /var/run/mysqld/mysqld.sock
|   sort_buffer_size: 2097144
|   sql_big_selects: ON
|   sql_mode:
|   sql_notes: ON
|   sql_warnings: OFF
|   ssl_ca:
|   ssl_capath:
|   ssl_cert:
|   ssl_cipher:
|   ssl_key:
|   storage_engine: MyISAM
|   sync_binlog: 0
|   sync_frm: ON
|   system_time_zone: CET
|   table_cache: 64
|   table_lock_wait_timeout: 50
|   table_type: MyISAM
|   thread_cache_size: 8
|   thread_stack: 131072
|   time_format: %H:%i:%s
|   time_zone: SYSTEM
|   timed_mutexes: OFF
|   tmp_table_size: 33554432
|   tmpdir: /tmp
|   transaction_alloc_block_size: 8192
|   transaction_prealloc_size: 4096
|   tx_isolation: REPEATABLE-READ
|   updatable_views_with_limit: YES
|   version: 5.0.51a-17~bpo40+1
|   version_comment: (Debian)
|   version_compile_machine: powerpc
|   version_compile_os: debian-linux-gnu
|_  wait_timeout: 28800