Tutorial - Compaq Insight Manager http server

Compaq Insight Manager http server

Updated 10/5/01
CVE 1999-0771
CVE 1999-0772
CAN 2001-0134
CVE 2001-0728
CAN 2001-0840

Impact

Vulnerabilities in Compaq Insight Manager could allow a remote attacker to execute arbitrary code with administrator privileges or view any file on the server's disk, including a copy of the password file which could be retrieved and cracked.

Note: The red stoplight on this page indicates the highest possible severity level for this vulnerability. The actual severity level is indicated by the color of the dot next to the link to this tutorial on the previous page. If the dot is red, then this is a critical vulnerability. If the dot is brown, then this is a potential problem which may or may not be a vulnerability.

Background

Compaq Insight Manager is a tool which facilitates remote monitoring and control of Compaq servers and clients. When it is installed, the system runs a web server on port 2301.

The Problem

There are several problems in Compaq web-enabled management software that could be exploited by a remote attacker.

CAN 2001-0134
CVE 2001-0728
CAN 2001-0840
Firstly, several separate buffer overflow vulnerabilities could be used to execute arbitrary commands on the server with administrator privileges. Versions of Compaq Insight Manager XE for Windows up through 2.2 are affected if unpatched. Versions of Compaq Foundation Agent for ProLiant and Prosignia servers up through 5.1 are vulnerable as well. See Compaq Security Advisories SSRT0705, SSRT0758, and SSRT0766 for information on other platforms.

CVE 1999-0771
The second vulnerability is in the web server spawned by Compaq Insight Manager. The web server is vulnerable to the "root dot dot" bug. This bug gives unrestricted access to the vulnerable server's disk. An attacker could thereby view a copy of the system password file by entering a URL such as:

http://vulnerable-NT.com:2301/../../../winnt/repair/sam._

for a Windows NT system, or

http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

for a Novell Netware system. (How many dots there should be is install-dependent.) The password file could then be cracked, giving the attacker complete control over the server.

Windows NT and Novell Netware systems running the following versions of Insight Manager are known to be vulnerable:

1.2.14
1.2.15 (pre-release)
1.3.12
1.4.10

The following versions are known not to be vulnerable:

1.5.3
2.0.8

CVE 1999-0772
A third vulnerability in Compaq Insight Manager could allow a remote user to shut down Insight Manager's http server by sending it a request for a very long URL.

Resolution

All of the above vulnerabilities can be fixed by upgrading to the latest non-vulnerable version of the software, or by installing the patch if a non-vulnerable version is not available. For Compaq Insight Manager, upgrade to version 5.2, or else upgrade to version 2.0 or 2.1 and install Softpaq 14487 and Softpaq 17926. For Compaq Foundation Agent, upgrade to version 5.2, or install Softpaq 14487 and Softpaq 17926 for Windows or Softpaq 14488 and Softpaq 17927 for NetWare. For other products or platforms, see advisories SSRT0705 and SSRT0758.

It is also advisable to adhere to the following practices:

If the Web-enabled version of Compaq Insight Manager isn't being used, disable the service. If it is being used, upgrade to the non-vulnerable version. Additionally, tighten the service's access controls so that only read access is available via the Intranet.
Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\) storing that information so that only the administrator can read it. The corollary to this is to physically secure all backup media and ERDs as well since they could contain the backup SAM database.
Use strong(er) passwords. Since this exploitation process is so easy, and you have no way of detecting if your servers have already been compromised, you should change all Administrator passwords immediately. On the servers with users' accounts (not just service accounts) you should enforce the standards for password composition, expiration and retention.
Novell recommends disabling rconsole access and has no fix planned. The work-around is to simply remove the Remote NetWare Loadable Module, or NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console. They suspect this is not possible for most sites, so the alternative is to closely guard your ldremote.ncf, possibly by moving it to a different location (security by obscurity). You should also consider using Auditcon or a similar product to audit the use of the file and track anyone who touches it.

Where can I read more about this?

The buffer overflow vulnerabilities were reported in Compaq Security Advisories SSRT0705, SSRT0758, and SSRT0766. The "root dot dot" vulnerability was posted to Bugtraq. The denial of service vulnerability was also posted to Bugtraq.