Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Patrol security bugs

From: fcosta () CF6 FR (fcosta)
Date: Fri, 9 Apr 1999 12:46:33 +0200


       ____/   ____/  _____/
      /       /      /       Security Department
     /       ___/        /  Tel : +33 (0)1 41 91 39 00
    /       /      /__/ /  Fax : +33 (0)1 41 91 39 99
  _____/ __/     ______/


  ____________________________________________________

                Patrol Security bugs report

  ____________________________________________________

PROBLEM:

The PATROL management software from BMC SOFTWARE has 3 severe bugs :

1) Session password encryption weakness :

The Patrol session password is protected in a way which does not prevent

from replay attacks. It is possible for an attacker to capture (wire
tapping, network sniffing...) an encrypted password and to provide it to
the
BMC API to connect to the agent. The attacker can then get a shell with
the
agent without the administrator to know it.

2) Patrol frames sealing :

The algorithm used in Patrol for sealing the frames exchanged is fairly
weak
(enhanced checksum). It is thus quite easy for an attacker to build a
spoofing system which sends faked frames to an agent.

3) Service deny on UDP port :

The UDP ports accept connexion requests and are thus exposed to
ping-pong
from another UDP port (e.g. chargen).

  ____________________________________________________


PLATFORM:

Patrol agent until release 3.25 on all operating systems

  ____________________________________________________

DAMAGE:

You can get administrator account throught Patrol agent whithout
accreditation or crash system by DOS attack.

  ____________________________________________________

SOLUTION:

We are actually working with BMC SOFTWARE to correct all those bugs.
____________________________________________________

For more informations, contact Frederic COSTA : e-mail: fcosta () cf6 fr
Previous By Date Next
Previous By Thread Next

Current thread: