Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1999: Patrol security bugs

Patrol security bugs

fcosta (fcostaCF6.FR)
Fri, 9 Apr 1999 12:46:33 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: M.C.Mar: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Previous message: Olaf Kirch: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"

> >        ____/   ____/  _____/
> >       /       /      /       Security Department
> >      /       ___/        /  Tel : +33 (0)1 41 91 39 00
> >     /       /      /__/ /  Fax : +33 (0)1 41 91 39 99
> >   _____/ __/     ______/
> >
>   ____________________________________________________
>
>                 Patrol Security bugs report
>
>   ____________________________________________________
>
> PROBLEM:
>
> The PATROL management software from BMC SOFTWARE has 3 severe bugs :
>
> 1) Session password encryption weakness :
>
> The Patrol session password is protected in a way which does not prevent
>
> from replay attacks. It is possible for an attacker to capture (wire
> tapping, network sniffing...) an encrypted password and to provide it to
> the
> BMC API to connect to the agent. The attacker can then get a shell with
> the
> agent without the administrator to know it.
>
> 2) Patrol frames sealing :
>
> The algorithm used in Patrol for sealing the frames exchanged is fairly
> weak
> (enhanced checksum). It is thus quite easy for an attacker to build a
> spoofing system which sends faked frames to an agent.
>
> 3) Service deny on UDP port :
>
> The UDP ports accept connexion requests and are thus exposed to
> ping-pong
> from another UDP port (e.g. chargen).
>
>   ____________________________________________________
>
>
> PLATFORM:
>
> Patrol agent until release 3.25 on all operating systems
>
>   ____________________________________________________
>
> DAMAGE:
>
> You can get administrator account throught Patrol agent whithout
> accreditation or crash system by DOS attack.
>
>   ____________________________________________________
>
> SOLUTION:
>
> We are actually working with BMC SOFTWARE to correct all those bugs.
> ____________________________________________________
>
> For more informations, contact Frederic COSTA : e-mail: fcostacf6.fr
>
>
>

Next message: M.C.Mar: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Previous message: Olaf Kirch: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"