Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: Infosec.19990526.compaq-im.a (fwd)

Re: Infosec.19990526.compaq-im.a (fwd)

Misha (mishainsync.net)
Wed, 2 Jun 1999 02:42:42 -0500 (CDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Marc Alberts: "Re: Load balancer in lieu of firewall..."
Previous message: Kenneth_W_Foxsbphrd.com: "update: Survey.exe"

> if this is a Compaq box, this might be the survey utility, which is
> used to inspect and report system configuration for support purposes.
> It gathers hardware and software information and saves it as a history
> of multiple sessions in a single configuration history file.

Survey.exe pegged the CPU at 100% when I tried to disable the Compaq
Insight Manager a couple of months ago, while locking down some IIS
machines. It looked like it was enumerating quite a few registry keys, as
well as hardware info and other information it shouldnt have been getting,
for web based management. I have included the recent advisory on Insight
Manager from Bugraq. You should be able to find the complete archives on
the Bugtraq site. I would disable any vendor managent tools on any
production machines as soon as possible.

Misha
Insync Internet Services

---------- Forwarded message ----------
Date: Wed, 26 May 1999 16:13:19-0500
From: Vacuum <vacuumSWORD.DAMOCLES.COM>
To: BUGTRAQnetspace.org
Subject: Re: Infosec.19990526.compaq-im.a

Vulnerability Summary
---------------------

Problem: The web server included in Compaq Insight
Manager could expose sensitive information.

Threat: Anyone that have access to port 2301 where
               Compaq Insight Manager is installed could get
               unrestricted access to the servers disk through
               the "root dot dot" bug.

Platform: Detected on Windows NT and Novell Netware servers
running on Compaq hardware.

Solution: Disable the Compaq Insight Manager web server or
restrict anonymous access.

Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This
web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug.
This
bug gives unrestricted access to the vulnerable server?s disk. It could
easily
get exploited with one of the URLs:

http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

Solution
--------
You could probably fix the problem by restricting anonymous access to the
Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.

Background
----------
Infosec gives the credits to Master Dogen who first reported the problem
(Windows NT and Compaq Insight Manager) to us and wanted us go public with
a
vulnerability report.

Infosec have found that Novell Netware with Compaq Insight Manager have
the same
problem but is not as common as on Windows NT.

Compaq Sweden was informed about this problem april 26, 1999

---------- Forwarded message ----------
Date: Wed, 26 May 1999 16:13:19-0500
From: Vacuum <vacuumSWORD.DAMOCLES.COM>
To: BUGTRAQnetspace.org
Subject: Re: Infosec.19990526.compaq-im.a

Please disgregard previous post, the signature got in the way of a paste

In addition to //Gabriel Sandberg, Infosec gabriel.sandberginfosec.se's
findings.

Web-Based Management is enabled, by default, when you install the Compaq
Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled
Compaq Server Management Agents allow you to view subsystem and status
information from a web browser, either locally or remotely. Web-enabled
Service Management Agents are availible in all 4.x versions of Insight
Manager.

Compaq HTTP Server Version 1.2.15 (Pre-Release)

The only user accounts available in the Compaq Server Management
Agent WEBEM release are listed below.

http://111.111.111.111:2301/cpqlogin.htm

account anonymous
username anonymous
password

account user
username user
password public

account operator
username operator
password operator

account administrator
username administrator
password administrator

http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes
is the url used to change the password. Unfortunately the password is
the only information that can be changed and is stored in
clear text in the following file.

c:\compaq\wbem\cpqhmmd.acl
-------------------------------------------------------------------------------------
Compaq-WBEM-AclFile, 1.1
      anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F
      login in progress... login in progress...
7A21DD9917C0C23907267FC07DBC7D12
      administrator administrator D6022D9B3FCA717CCEED36E640160478
51B02137D6BF719FC62F4940DBE1F3E6
      operator operator B5CE548356D1BEA5F1CFEE12FE9502C3
041D1015AEC9F60412C7F86E62D6672C
      user user
EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A

Once you have found one wbem enabled machine, using compaq's HTTP
Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm
It is trivial to locate other machines.

Next message: Marc Alberts: "Re: Load balancer in lieu of firewall..."
Previous message: Kenneth_W_Foxsbphrd.com: "update: Survey.exe"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT