Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Computer Associates eTrust Security Command Center Multiple Vulnerabilities
From: Patrick Webster (patrickaushack.com)
Date: Fri Sep 22 2006 - 03:03:34 CDT
aushack.com - Vulnerability Advisory
Computer Associates - eTrust Security Command Center
"eTrust Security Command Center helps you discover and prioritize
relevant security data to effectively manage your security risks in real
time. By correlating security risks to assets, you can take corrective
action and investigate security incidents through a centralized command
and control center."
eTrust Security Command Center 1.0, r8, r8 SP1 CR1 and r8 SP1 CR2.
eTrust Audit 1.5 and r8.
1) Reveal web server path.
2) Read and delete arbitrary files from the host server under
the service account, generally LocalSystem.
3) The event alerting does not use authentication, and as such is
vulnerable to external replay attacks, similar to IDS replay attacks.
Medium - A malicious authenticated user may read and delete arbitrary
files, whilst an unauthenticated attacker may use a replay
attack to distract staff from tracking real events, and/or
denial of service by consuming disk space with false alerts.
The software is operated by use of a web browser. Authenticated users have
access to the various security reports and functions, which generally do
not verify user controlled parameters.
1) The 'ePPIServlet' script returns a detailed path error when sent the
quote character [ ' ] as part of the 'PIProfile' function.
2) The 'eSMPAuditServlet' class contains a function, 'getadhochtml',
which is used to provide reporting functionality. The component generates
reports in a temporary file location, returns the file contents to the
web client, then deletes it... but does not validate the path.
3) There is an API function to create your own alerts: eTSAPISend.exe.
The service does not use any authentication, so the attacker may script
the binary to send thousands of false-positive alerts to the Security
Command Center, diverting attention and resources from real threats.
Examples (lines have been wrapped):
Would return an error similar to: "Cannot read profile:
C:\Program Files\Computer Associates\eTrust\Command Centre\servlet\.. "
Assuming the product was installed on the C drive, this will return the
contents of c:\boot.ini to the client, then immediately delete it, e.g:
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows 2003 Server"
3) An example Windows Logon failure event would be similar to:
C:\> etsapisend.exe -nod $dstIP -cat "System Access" -opr Logon
-sta F -nam NT-Security -loc \\Domain\IIS_Server -usr System -evt 70
-src Security -nid 529 -inf "Logon Failure"
Fortunately, the web service requires product based authentication prior
to execution for 1 and 2. Unfortunately, the product ships with multiple
default usernames and passwords, which although unlikely, may still be
present. The default username:password pairs are below:
For point 3, the $dstIP must have the Audit Router socket open (tcp/111).
1) Fixes QO81875, QO81758, QO81862, QO81863 ...
2) Fixes QO81851, QO81876, QO81878 can be found at:
3) No solution - use perimeter based firewalls.
Patrick Webster ( patrickaushack.com )
Thanks to the CA Security team for their quick response.
21-Jan-2006 - Vulnerabilities discovered.
04-Aug-2006 - Sent to Computer Associates Security Advisor.
04-Aug-2006 - Vendor response & verification.
19-Sep-2006 - Vendor patch release.
22-Sep-2006 - Public disclosure.