Compaq Insight Manager http server
Updated 10/5/01
CVE 1999-0771
CVE 1999-0772
CAN 2001-0134
CVE 2001-0728
CAN 2001-0840
Impact
Vulnerabilities in Compaq Insight Manager could allow a remote attacker to
execute arbitrary code with administrator privileges or
view any file on the server's disk, including a copy of the password file
which could be retrieved and cracked.
Note: The red stoplight on this page indicates the highest
possible severity level for this vulnerability. The actual severity
level is indicated by the color of the dot next to the link to this
tutorial on the previous page. If the dot is red,
then this is a critical vulnerability. If the dot is
brown, then this is a potential problem which may or may not
be a vulnerability.
Background
Compaq Insight Manager is a tool which facilitates remote
monitoring and control of Compaq servers and clients. When it is
installed, the system runs a web server on port 2301.
The Problem
There are several problems in Compaq web-enabled management software that could
be exploited by a remote attacker.
CAN 2001-0134
CVE 2001-0728
CAN 2001-0840
Firstly, several separate buffer
overflow vulnerabilities could be used
to execute arbitrary commands on the server with administrator
privileges. Versions of Compaq Insight Manager XE for Windows up
through 2.2 are affected if unpatched. Versions of Compaq Foundation
Agent for ProLiant and Prosignia servers up through 5.1 are
vulnerable as well. See Compaq Security Advisories
SSRT0705,
SSRT0758, and
SSRT0766
for information on other platforms.
CVE 1999-0771
The second vulnerability is in the web server
spawned by Compaq Insight Manager. The web server is vulnerable to the
"root dot dot" bug. This bug gives unrestricted access to the vulnerable
server's disk. An attacker could thereby view a copy of the system
password file by entering a URL such as:
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
for a Windows NT system, or
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf
for a Novell Netware system.
(How many dots there should be is install-dependent.) The password file
could then be cracked, giving the attacker complete control over the
server.
Windows NT and Novell Netware systems running the following versions
of Insight Manager are known to be vulnerable:
- 1.2.14
- 1.2.15 (pre-release)
- 1.3.12
- 1.4.10
The following versions are known not to be vulnerable:
CVE 1999-0772
A third vulnerability in Compaq Insight Manager could allow a
remote user to shut down Insight Manager's http server by sending
it a request for a very long URL.
Resolution
All of the above vulnerabilities can be fixed by upgrading
to the latest non-vulnerable version of the software, or by
installing the patch if a non-vulnerable version is not
available. For Compaq Insight Manager,
upgrade
to version 5.2, or else upgrade to version 2.0 or
2.1 and install Softpaq
14487 and
Softpaq
17926. For Compaq Foundation Agent,
upgrade
to version 5.2, or install
Softpaq
14487 and
Softpaq
17926 for Windows or Softpaq
14488 and
Softpaq
17927 for NetWare. For other products or platforms, see advisories
SSRT0705 and
SSRT0758.
It is also advisable to adhere to the following practices:
-
If the Web-enabled version of Compaq Insight Manager isn't being used,
disable the service. If it is being used, upgrade to the non-vulnerable
version. Additionally, tighten the service's access controls so that
only read access is available via the Intranet.
-
Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\)
storing that information so that only the administrator can read it.
The corollary to this is to physically secure all backup media and ERDs
as well since they could contain the backup SAM database.
-
Use strong(er) passwords. Since this exploitation process is so easy,
and you have no way of detecting if your servers have already been compromised,
you should change all Administrator passwords immediately. On the
servers with users' accounts (not just service accounts) you should enforce
the standards for password composition, expiration and retention.
-
Novell recommends disabling rconsole access and has no fix planned. The
work-around is to simply remove the Remote NetWare Loadable Module, or
NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console.
They suspect this is not possible for most sites, so the alternative is
to closely guard your ldremote.ncf,
possibly by moving it to a different location (security by obscurity).
You should also consider using Auditcon or a similar product to audit the
use of the file and track anyone who touches it.
Where can I read more about this?
The buffer overflow vulnerabilities were reported in Compaq Security Advisories
SSRT0705, SSRT0758, and
SSRT0766.
The "root dot dot" vulnerability was posted to
Bugtraq. The denial of service vulnerability was also posted to
Bugtraq.