-- Corsaire Limited Security Advisory --

Title: Symantec/Axent NetProwler 3.5.x database configuration
Date: 07.04.01
Application: Symantec/Axent NetProwler 3.5.x
Environment: WinNT
Author: Martin O'Neal [martin.onealcorsaire.com]
Audience: General distribution

-- Scope --

The aim of this document is to clearly define some issues related to
a potentially unsound database configuration within the NetProwler
application environment as provided by Symantec/Axent [1].

-- History --

Vendor notified: 07.04.01
Document released: 09.05.01

-- Overview --

The latest version of the NetProwler intrusion detection product comes
as a three-tiered architecture, consisting of agents, a management
component, and a console. Both configuration and auditing information
is stored within a MySQL database hosted locally on the management tier
of the product. This database is exposed unnecessarily to potential
network scrutiny due to being configured by default to listen to all
local IP addresses.

-- Analysis --

The MySQL database included with the NetProwler product is used to
store both configuration and auditing information on the management tier.
This is accessed via an ODBC connection on the default MySQL port
(TCP/3306).

Because it is possible to connect to the databases remotely, if the
correct access password can be obtained (see Corsaire advisory
010317-001a [2]), it is possible to amend the data contained within them,
or simply delete the databases causing a denial of service in the
management tier.

In theory, using this flaw it is feasible to disable the IDS capabilities
of NetProwler, perform whatever attack is required, and then reconfigure
the host to its prior state.

As a proof of concept, a tool was created that simply deletes the
NetProwler databases causing a denial of service. This was provided to
the vendor, but will not be made freely available..

-- Recommendations --

The MySQL databases do not need to be accessed by remote systems, so the
MySQL engine can be configured to listen to localhost only. To do this,
edit the c:\my.cnf file and add the following line, then restart the host:

  [MySQLd]
  bind-address=127.0.0.1

-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
    50&PID=3061537
[2] http://www.corsaire.com/advisories/010317-001a.txt

-- Revision --

Initial release.

Copyright 2001 Corsaire Limited. All rights reserved.

----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF
Telephone:+44(0)1483-226000 Email:infocorsaire.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]