Bugtraq mailing list archives
RE: Remote Administrator 2.x: highly possible remote hole or back door
From: mgotts () 2roads com
Date: Fri, 20 Feb 2004 11:36:14 -0800
LordInfidel () directionweb com wrote on 02/18/2004 10:58:58 AM:
From reading the thread on famatech's site, this looks more like a weak password issue, which is true of "ANY" piece of software using simple password authentication.
Actually, if you read the thread closely you will see that the attacks are said to comprise a *single* password attempt. On the second connection they were in. Tens of minutes pass between the two attempts. This behavior is observed in more than one of the attacks.
Strong enough means absolutely nothing in the world of dictionary attacks......
No dictionary attack is being performed. The user claims that his logs show that the server is being sent a single password-attempt string of some kind, and on the next connection the attacker is in. I say "password-attempt string" because it is quite probable that the Radmin client is not being used for the initial. The exploit may be take advantage of a flaw in the authentication system, or make use of a discovered backdoor. Note that those who claim to have been hacked said their logs show an initial attempt (probably automated) and then a single successful login (no dictionary attack) 10-15 minutes later, presumably after the attacker checked his scanner logs and found a vulnerable system. Additionally, there is a post from an anonymous user who claims to have developed an attack against Radmin's built-in authentication scheme. Although the posting could be complete BS, this person claims that the vulnerability does not exist in Radmin's optional NT authentication scheme. This same poster claims that is going to contact Radmin in a short while with the details. Guess we'll see. None of this is proof, of course. But there is also zero proof that every case is a weak password or dictionary attack. A bug in the authentication scheme is certainly possible. If I get a chance, maybe I can set up a honeypot machine with radmin (and a secure password) and see what happens. -- Mark
Current thread:
- RE: Remote Administrator 2.x: highly possible remote hole or back door LordInfidel (Feb 19)
- Re: Remote Administrator 2.x: highly possible remote hole or backdoor Pavel Levshin (Feb 20)
- RE: Remote Administrator 2.x: highly possible remote hole or back door mgotts (Feb 20)
- Re: Remote Administrator 2.x: highly possible remote hole or back door Ari Gordon-Schlosberg (Feb 23)