Date: Wed, 26 May 1999 16:41:36 +0100 From: gabriel.sandberg@INFOSEC.SE To: BUGTRAQ@netspace.org Subject: Infosec.19990526.compaq-im.a Infosec Security Vulnerability Report No: Infosec.19990526.compaq-im.a ===================================== Vulnerability Summary --------------------- Problem: The web server included in Compaq Insight Manager could expose sensitive information. Threat: Anyone that have access to port 2301 where Compaq Insight Manager is installed could get unrestricted access to the servers disk through the "root dot dot" bug. Platform: Detected on Windows NT and Novell Netware servers running on Compaq hardware. Solution: Disable the Compaq Insight Manager web server or restrict anonymous access. Vulnerability Description ------------------------- When installing Compaq Insight Manager a web server gets installed. This web server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This bug gives unrestricted access to the vulnerable server?s disk. It could easily get exploited with one of the URLs: http://vulnerable-NT.com:2301/../../../winnt/repair/sam._ http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf (How many dots there should be is install-dependent) Solution -------- You could probably fix the problem by restricting anonymous access to the Compaq Insight Manager web server. If you are not using the web server, Infosec recommends disabling the service. Background ---------- Infosec gives the credits to Master Dogen who first reported the problem (Windows NT and Compaq Insight Manager) to us and wanted us go public with a vulnerability report. Infosec have found that Novell Netware with Compaq Insight Manager have the same problem but is not as common as on Windows NT. Compaq Sweden was informed about this problem april 26, 1999. //Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se ------------------------------------------------------------------------------ Date: Wed, 26 May 1999 16:13:19 -0500 From: Vacuum To: BUGTRAQ@netspace.org Subject: Re: Infosec.19990526.compaq-im.a Please disgregard previous post, the signature got in the way of a paste In addition to //Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se's findings. Web-Based Management is enabled, by default, when you install the Compaq Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled Compaq Server Management Agents allow you to view subsystem and status information from a web browser, either locally or remotely. Web-enabled Service Management Agents are availible in all 4.x versions of Insight Manager. Compaq HTTP Server Version 1.2.15 (Pre-Release) The only user accounts available in the Compaq Server Management Agent WEBEM release are listed below. http://111.111.111.111:2301/cpqlogin.htm account anonymous username anonymous password account user username user password public account operator username operator password operator account administrator username administrator password administrator http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes is the url used to change the password. Unfortunately the password is the only information that can be changed and is stored in clear text in the following file. c:\compaq\wbem\cpqhmmd.acl ------------------------------------------------------------------------------------- Compaq-WBEM-AclFile, 1.1 anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F login in progress... login in progress... 7A21DD9917C0C23907267FC07DBC7D12 administrator administrator D6022D9B3FCA717CCEED36E640160478 51B02137D6BF719FC62F4940DBE1F3E6 operator operator B5CE548356D1BEA5F1CFEE12FE9502C3 041D1015AEC9F60412C7F86E62D6672C user user EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A Once you have found one wbem enabled machine, using compaq's HTTP Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm It is trivial to locate other machines. ------------------------------------------------------------------------------ Date: Thu, 27 May 1999 21:43:09 -0500 From: Vacuum To: BUGTRAQ@netspace.org Subject: Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) Upon further research, I must retract my earlier statement that the Compaq Insight Manager Web Agent's passwords are stored in clear text. Infact, what we see in cpqhmmd.acl are the account name and username in clear text NOT the password. Explanation of username and password combinations mentioned in my previous post. c:\compaq\wbem\cpqhmmd.acl or http://111.111.111.111:2301/../../../compaq/wbem/cpqhmmd.acl cpqhmmd.acl contents: Compaq-WBEM-AclFile, 1.1 anonymousanonymous737EEEFA7617ED94EDD74E659B83035F login in progress...login in progress...7A21DD9917C0C23907267FC07DBC7D12 administratoradministrator37741E7AC5B9871F87CE6ABE15B28FCB070293B3998C461D866E277A259619F0 operatoroperatorB5CE548356D1BEA5F1CFEE12FE9502C3041D1015AEC9F60412C7F86E62D6672C useruserEC286E733A8892ADFC895611D1557557C865DE636CA398F8523EDBE5700D457A The default usernames and password combinations that I mentioned in my previous post are still valid. Once again these are the defaults: account: anonymous username: anonymous password: account: user username: user password: public account: operator username: operator password: operator account: administrator username: administrator password: administrator There are three types of data: Default(read only), Sets(read/write), and Reboot(read/write). The WebAgent.ini file in the system_root\CpqMgmt\WebAgent directory specifies the level of user that has access to data . The "read=" and "write=" entries in the file set the user accounts required for access, where: 0 = No access, 1 = Anonymous, 2 = User, 3 = Operator, and 4 = Administrator. Changing these entries changes the security. The web-enabled Server Agent service must be stopped and restarted for any changes to take effect. Do not modify anything except the read/write levels. New Denial of service: Just to make this post somewhat worthwile. http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the minimum) The first time this occurs, an application error occurs in surveyor.exe Exception: access violation (0xc0000005), Address: 0x100333e5 If you restart the Insight Web Agent Service and repeat it will cause an application error in cpqwmget.exe Exception: access violation(0xc0000005), Address 0x002486d4 The http://111.111.111.111 will no longer respond until the service is stopped and restarted. Apologies for my previous error. vac ------------------------------------------------------------------------------ Date: Fri, 28 May 1999 08:54:10 -0400 From: Ricky Mitchell To: BUGTRAQ@netspace.org Subject: second compaq insight manager vulnerablilty Greetings, Yesterday while I was removing the "web insight agent" service from the our vulnerable NT servers, I noticed on some machines that port 2301 was still vulnerable. To completely remove the problem, make sure you also stop the "surveryor" service as well if you have that installed. That will completely shut off access to port 2301 and plug the hole. Regards, Rick Mitchell NT administrator Columbia Gas Transmission Corp ------------------------------------------------------------------------------ Date: Mon, 7 Jun 1999 10:28:22 -0400 From: Andrew Kunz To: BUGTRAQ@netspace.org Subject: Update on compaq webadmin Look what compaq figured out For Immediate Release 1 June 7, 1999 Compaq Computer Corporation Compaq Security Advisory Posted: June 7, 1999 Compaq Management Agent Security Vulnerability Summary As part of an ongoing concern about security and Internet technology, Compaq has identified a potential security hole in the web-enabled portion of Compaq Management Agents and the Compaq Survey Utility when installed as an agent. This security hole can allow read access to files whose location and filename are known or be used to terminate the process controlling the web agents. This affects the web component of Compaq Management Agents version 4.0 and greater and the Compaq Survey Utility version 2.0 and greater when installed as an agent. SNMP and DMI components without the web capability enabled are not affected. While there are no reports of customers being adversely affected by this vulnerability, Compaq is proactively releasing this bulletin to allow customers to take appropriate action to protect themselves against it. Issue The web component of Compaq Management Agents version 4.0 and greater and Compaq Survey Utility 2.0 and greater provide HTTP services to allow management information to be accessible through a web browser. Compaq has always advocated that these agents and utilities be deployed only in private networks and were not for use on the Internet or systems outside the bounds of a firewall. Because of this, Compaq believes that the primary threat is an internal one. These agents have been discovered to be vulnerable to a file read security hole which allows files whose location and name are known to be read on the file system on which the agents are installed and an overflow security hole that potentially terminates the web agent process. In some cases with Novell NetWare it has caused the server to stop responding. Affected Software Versions This affects the web component of all Compaq Management Agents 4.0 and greater running with Windows NT, Windows 9x, Windows 2000, NetWare and Tru64 Unix. Additionally affected is the Compaq Survey Utility 2.0 and greater when installed as an agent on Windows NT or NetWare. Agent software affected includes those installed on ProLiant and Prosignia servers (since May, 1998), AlphaServers with Windows NT (since October, 1998), AlphaServers with Tru64 Unix (since May, 1999), DIGITAL Intel Servers (since October, 1998), Professional Workstations (since May, 1998), Deskpro and Prosignia desktops (since September, 1998), and Armada and Prosignia portables (since September, 1998). A complete matrix can be found at the end of this document. Compaq Management Agents for SCO Unix, UnixWare and OpenServer, IBM OS/2 and Compaq OpenVMS are not affected in any way. What Compaq is doing Compaq is actively pursuing the testing and release of a software fix to the problem. This will be initially released as a new version 4.23b of the Server Management Agents and a new version 2.18 of the Survey Utility. The Client Management Agent which is pre-installed at the factory will become version 4.3. A SoftPAQ with the Client Management Agent 4.2C will be issued with the fix. -- Andrew Kunz Telecom Analyst Central Computing Facility TDIT Server Technology mailto:kunza@tdbank.ca phone (416) 983-9027 pager (416) 375-8427 4163758427@shawpaging.com -------------------------------------------