Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Martin O'Neal (BugTraqcorsaire.com)
Date: Thu May 10 2001 - 04:25:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -- Corsaire Limited Security Advisory --

    Title: Symantec/Axent NetProwler 3.5.x database configuration
    Date: 07.04.01
    Application: Symantec/Axent NetProwler 3.5.x
    Environment: WinNT
    Author: Martin O'Neal [martin.onealcorsaire.com]
    Audience: General distribution

    -- Scope --

    The aim of this document is to clearly define some issues related to
    a potentially unsound database configuration within the NetProwler
    application environment as provided by Symantec/Axent [1].

    -- History --

    Vendor notified: 07.04.01
    Document released: 09.05.01

    -- Overview --

    The latest version of the NetProwler intrusion detection product comes
    as a three-tiered architecture, consisting of agents, a management
    component, and a console. Both configuration and auditing information
    is stored within a MySQL database hosted locally on the management tier
    of the product. This database is exposed unnecessarily to potential
    network scrutiny due to being configured by default to listen to all
    local IP addresses.

    -- Analysis --

    The MySQL database included with the NetProwler product is used to
    store both configuration and auditing information on the management tier.
    This is accessed via an ODBC connection on the default MySQL port

    Because it is possible to connect to the databases remotely, if the
    correct access password can be obtained (see Corsaire advisory
    010317-001a [2]), it is possible to amend the data contained within them,
    or simply delete the databases causing a denial of service in the
    management tier.

    In theory, using this flaw it is feasible to disable the IDS capabilities
    of NetProwler, perform whatever attack is required, and then reconfigure
    the host to its prior state.

    As a proof of concept, a tool was created that simply deletes the
    NetProwler databases causing a denial of service. This was provided to
    the vendor, but will not be made freely available..

    -- Recommendations --

    The MySQL databases do not need to be accessed by remote systems, so the
    MySQL engine can be configured to listen to localhost only. To do this,
    edit the c:\my.cnf file and add the following line, then restart the host:


    -- References --

    [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
    [2] http://www.corsaire.com/advisories/010317-001a.txt

    -- Revision --

    Initial release.

    Copyright 2001 Corsaire Limited. All rights reserved.

    CONFIDENTIALITY: This e-mail and any files transmitted with it are
    confidential and intended solely for the use of the recipient(s) only.
    Any review, retransmission, dissemination or other use of, or taking
    any action in reliance upon this information by persons or entities
    other than the intended recipient(s) is prohibited. If you have
    received this e-mail in error please notify the sender immediately
    and destroy the material whether stored on a computer or otherwise.
    DISCLAIMER: Any views or opinions presented within this e-mail are
    solely those of the author and do not necessarily represent those
    of Corsaire Limited, unless otherwise specifically stated.

    Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF
    Telephone:+44(0)1483-226000 Email:infocorsaire.com