Bugtraq mailing list archives
Patrol security bugs
From: fcosta () CF6 FR (fcosta)
Date: Fri, 9 Apr 1999 12:46:33 +0200
____/ ____/ _____/ / / / Security Department / ___/ / Tel : +33 (0)1 41 91 39 00 / / /__/ / Fax : +33 (0)1 41 91 39 99 _____/ __/ ______/____________________________________________________ Patrol Security bugs report ____________________________________________________ PROBLEM: The PATROL management software from BMC SOFTWARE has 3 severe bugs : 1) Session password encryption weakness : The Patrol session password is protected in a way which does not prevent from replay attacks. It is possible for an attacker to capture (wire tapping, network sniffing...) an encrypted password and to provide it to the BMC API to connect to the agent. The attacker can then get a shell with the agent without the administrator to know it. 2) Patrol frames sealing : The algorithm used in Patrol for sealing the frames exchanged is fairly weak (enhanced checksum). It is thus quite easy for an attacker to build a spoofing system which sends faked frames to an agent. 3) Service deny on UDP port : The UDP ports accept connexion requests and are thus exposed to ping-pong from another UDP port (e.g. chargen). ____________________________________________________ PLATFORM: Patrol agent until release 3.25 on all operating systems ____________________________________________________ DAMAGE: You can get administrator account throught Patrol agent whithout accreditation or crash system by DOS attack. ____________________________________________________ SOLUTION: We are actually working with BMC SOFTWARE to correct all those bugs. ____________________________________________________ For more informations, contact Frederic COSTA : e-mail: fcosta () cf6 fr
Current thread:
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 08)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Olaf Kirch (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 09)
- Re: ipop3d (x2) / pine (x2) / ... GvS (Apr 11)
- Re: ipop3d (x2) / pine (x2) / ... Thomas Roessler (Apr 12)
- [support_feedback () us-support external hp com: Security Bulletins Patrick Oonk (Apr 13)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Olaf Kirch (Apr 09)
- Patrol security bugs fcosta (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight M.C.Mar (Apr 09)
- New Novell Remote.NLM Password Decryption Algorithm with Exploit dreamer () RELIA NET (Apr 09)
- Novell Pandora Hack Jeremy M. Guthrie (Apr 12)
- Re: Novell Pandora Hack Simple Nomad (Apr 13)
- Re: Novell Pandora Hack Iain P.C. Moffat (Apr 13)
- aDSL routers David Brumley (Apr 13)
- Re: aDSL routers Derek Vadala (Apr 14)
- aDSL routers Brad Zimmerman (Apr 14)
- Re: aDSL routers Truman Boyes (Apr 14)
- New Novell Remote.NLM Password Decryption Algorithm with Exploit dreamer () RELIA NET (Apr 09)