Date: Fri, 9 Apr 1999 12:46:33 +0200 From: fcosta To: BUGTRAQ@netspace.org Subject: Patrol security bugs > ____/ ____/ _____/ > / / / Security Department > / ___/ / Tel : +33 (0)1 41 91 39 00 > / / /__/ / Fax : +33 (0)1 41 91 39 99 > _____/ __/ ______/ > ____________________________________________________ Patrol Security bugs report ____________________________________________________ PROBLEM: The PATROL management software from BMC SOFTWARE has 3 severe bugs : 1) Session password encryption weakness : The Patrol session password is protected in a way which does not prevent from replay attacks. It is possible for an attacker to capture (wire tapping, network sniffing...) an encrypted password and to provide it to the BMC API to connect to the agent. The attacker can then get a shell with the agent without the administrator to know it. 2) Patrol frames sealing : The algorithm used in Patrol for sealing the frames exchanged is fairly weak (enhanced checksum). It is thus quite easy for an attacker to build a spoofing system which sends faked frames to an agent. 3) Service deny on UDP port : The UDP ports accept connexion requests and are thus exposed to ping-pong from another UDP port (e.g. chargen). ____________________________________________________ PLATFORM: Patrol agent until release 3.25 on all operating systems ____________________________________________________ DAMAGE: You can get administrator account throught Patrol agent whithout accreditation or crash system by DOS attack. ____________________________________________________ SOLUTION: We are actually working with BMC SOFTWARE to correct all those bugs. ____________________________________________________ For more informations, contact Frederic COSTA : e-mail: fcosta@cf6.fr