Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Infosec.19990526.compaq-im.a (fwd)

From: Misha <misha () insync net>
Date: Wed, 2 Jun 1999 02:42:42 -0500 (CDT)
if this is a Compaq box, this might be the survey utility, which is
used to inspect and report system configuration for support purposes.
It gathers hardware and software information and saves it as a history
of multiple sessions in a single configuration history file.


Survey.exe pegged the CPU at 100% when I tried to disable the Compaq
Insight Manager a couple of months ago, while locking down some IIS
machines. It looked like it was enumerating quite a few registry keys, as
well as hardware info and other information it shouldnt have been getting,
for web based management. I have included the recent advisory on Insight
Manager from Bugraq. You should be able to find the complete archives on
the Bugtraq site. I would disable any vendor managent tools on any
production machines as soon as possible.

Misha
Insync Internet Services


---------- Forwarded message ---------- 
Date: Wed, 26 May 1999 16:13:19-0500 
From: Vacuum <vacuum () SWORD DAMOCLES COM> 
To: BUGTRAQ () netspace org
Subject: Re: Infosec.19990526.compaq-im.a

Vulnerability Summary
---------------------

Problem:  The web server included in Compaq Insight
               Manager could expose sensitive information.

Threat:   Anyone that have access to port 2301 where
               Compaq Insight Manager is installed could get
               unrestricted access to the servers disk through
               the "root dot dot" bug.

Platform: Detected on Windows NT and Novell Netware servers
               running on Compaq hardware.

Solution: Disable the Compaq Insight Manager web server or
               restrict anonymous access.


Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This
web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug.
This
bug gives unrestricted access to the vulnerable server?s disk. It could
easily
get exploited with one of the URLs:

http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

Solution
--------
You could probably fix the problem by restricting anonymous access to the
Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.


Background
----------
Infosec gives the credits to Master Dogen who first reported the problem
(Windows NT and Compaq Insight Manager) to us and wanted us go public with
a
vulnerability report.

Infosec have found that Novell Netware with Compaq Insight Manager have
the same
problem but is not as common as on Windows NT.

Compaq Sweden was informed about this problem april 26, 1999


---------- Forwarded message ----------
Date: Wed, 26 May 1999 16:13:19-0500
From: Vacuum <vacuum () SWORD DAMOCLES COM>
To: BUGTRAQ () netspace org
Subject: Re: Infosec.19990526.compaq-im.a


Please disgregard previous post, the signature got in the way of a paste


 In addition to //Gabriel Sandberg, Infosec gabriel.sandberg () infosec se's
 findings.

Web-Based Management is enabled, by default, when you install the Compaq
Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled
Compaq Server Management Agents allow you to view subsystem and status
information from a web browser, either locally or remotely. Web-enabled
Service Management Agents are availible in all 4.x versions of Insight
Manager.

Compaq HTTP Server Version 1.2.15 (Pre-Release)


 The only user accounts available in the  Compaq Server Management
 Agent WEBEM release are listed below.


 http://111.111.111.111:2301/cpqlogin.htm

 account anonymous
 username anonymous
 password

 account user
 username user
 password public

 account operator
 username operator
 password operator

 account administrator
 username administrator
 password administrator

 http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes
 is the url used to change the password. Unfortunately the password is
 the only information that can be changed and is stored in
 clear text in the following file.

c:\compaq\wbem\cpqhmmd.acl
-------------------------------------------------------------------------------------
Compaq-WBEM-AclFile, 1.1
      anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F
      login in progress...  login in progress...
7A21DD9917C0C23907267FC07DBC7D12
      administrator administrator D6022D9B3FCA717CCEED36E640160478
51B02137D6BF719FC62F4940DBE1F3E6
      operator operator B5CE548356D1BEA5F1CFEE12FE9502C3
041D1015AEC9F60412C7F86E62D6672C
      user                                                            user
EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A

 Once you have found one wbem enabled machine, using compaq's HTTP
 Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm
 It is trivial to locate other machines.
Previous By Date Next
Previous By Thread Next

Current thread: