Whitepaper “Lotus Domino: Penetration Through the Controller” from BlackHat Europe 2012
On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.
His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.
In the demonstration, a private vulnerability in Lotus Domino was quite quickly disassembled, the resulting exploit used, the existing patch bypassed and a critical 0-day vulnerability found. The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allows full server compromise.