Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Ma nagement Tool

[ollie () DELPHISPLC COM (Ollie Whitehouse)]

Luciano,

The issue we found was that if the WebShield management agent is unable to
resolve your IP address to a host name (i.e. local host) it will allow you
access.

By resolve I mean by another of the following means:
Netbios / WINS
DNS

A good way of testing this is to have something like ATGuard which blocks
all traffic coming from your machine (i.e. browser broadcasts). So nothing
is able to resolve your IP to NAME then connect to port 9999.

We had both issues confirmed by Network Associates on the 22nd May 2000 by
the development team/product manager.

Rgds

Ollie
------
Security Team Leader
Delphis Consulting Plc
Tel: +44 (0)20 79160200
Fax: +44 (0)20 79161620

-----Original Message-----
From: Luciano Martins [mailto:luck () USSRBACK COM]
Sent: Friday, May 26, 2000 5:02 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44
Management Tool

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

well, hello first :), we have been researching McAfee WebShield SMTP
v4.5.74.0 for a long time (since the middle of march), and by default
only (localhost) can connect to port 9999.

So this "Authentication issue in WebShield SMTP v4.5.44 Management",
has no effect on the last version released the March 15, 2000.

> II. Solution
> ====================================================================
> ======== ====
>
> Vendor Contacted: 8-May-2000
>
> Currently there is no vendor patch available but there is the
> following preventative measures:

Of course, NAI did nothing because the problem is already fixed in
latest version.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com

Security Team wrote:

> ====================================================================
> ======== ====
>                                  Delphis Consulting Plc
> ====================================================================
> ======== ====
>
>                                Security Team Advisories
>                                     [08/05/2000]
>
>                              securityteam () delphisplc com
>
> ====================================================================
> ======== ====
> Adv     :       DST2K0004b
> Title   :       Authentication issue in WebShield SMTP v4.5.44
> Management Tool
> Author  :       DCIST (securityteam () delphisplc com)
> O/S     :       Microsoft Windows NT v4.0 Server (SP6)
> Product :       NAI WebShield SMTP v4.0.5
> Date    :       08/05/2000 (Updated 15/05/2000)
>
> I.   Description
>
> II. Solution
>
> III.  Disclaimer
> ====================================================================
> ======== ====
>
> I. Description
> ====================================================================
> ======== ====
>
> Delphis Consulting Internet Security Team (DCIST) discovered the
> following vuln-
> erability in the NAI Management Agent for WebShield SMTP under
> Windows NT.
>
> Connecting to a machine which runs the management agent on port
> 9999 may allow
> an attacker to obtain read and write access to the configuration of
> a WebShield
> SMTP server. This appears to happen, even if the the MailCfg
> service is set to
> only allow configuration to take place from "localhost" in some
> configurations.
>
> The configuration data appears written to the registry before the
> service suffers from lack of bounds checking. This information
> written to the registry
> can be used to prevent the WebShield service from being started.
>
> Update: 15/05/2000
>
> The configuration agent uses hostname for authentication, if the
> server upon which the management agent is running is unable to
> resolve a hostname to the IP address it will allow access by
> default.
>
> II. Solution
> ====================================================================
> ======== ====
>
> Vendor Contacted: 8-May-2000
>
> Currently there is no vendor patch available but the following are
> preventative
> measures Delphis Consulting Internet Security Team would advise
> users running
> this service to implement.
>
> o Don't allow the service to run as SYSTEM but as a restricted user
> account. o Access list port 9999 on the local router or firewall to
> restrict access to only required machines.
> o Stop the management service.
>
> III. Disclaimer
> ====================================================================
> ======== ====
> THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE
> ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY
> IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
> NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
> WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE
> ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS
> INFORMATION FOR ANY PURPOSE.
> ====================================================================
> ======== ====

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOS33TK3JcbWNj6DDEQIvSQCff0TkimgvR2uzrPX0B8KWM5qOfZUAoIY4
50aMC/IqH9mcNPt8g1r7EQk4
=kegL
-----END PGP SIGNATURE-----