Full Disclosure mailing list archives
Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability
From: <rashbi () hushmail com>
Date: Thu, 19 Apr 2007 15:59:25 +0200
BMC has provided the following statement: "[This issue] has been found not to be a security vulnerability; when properly
configured
(as described for our customers in our documentation and in our online knowledge base) this attack is not possible."
Anybody with some experience on BMC Patrol products know that security levels 1 to 4 are rarely used, because of the configuration and management overhead. Furthermore, level 0 (the default one) isn't imho the only security level impacted by this vulnerability (which is an anonymous r/w access to the SNMP configuration, including full paths to binaries), given that level 1 use anonymous SSL and that level 2 use SSL with unverified client certificate. Levels 1 and 2 will just help an attacker to bypass your NIDS. Interested people can have a look to the "Patrol Security User Guide" (http://www.bmc.com/supportu/documents/73/44/17344/17344.pdf) for additional details. Conclusion : pconfig/xpconfig/wpconfig or any similar custom script can be used to hack any default install of Patrol BMC but it "has been found not to be a security vulnerability". How sad :-( -- Rashbi -- Click to find local singles for dating, romance and fun http://tagline.hushmail.com/fc/CAaCXv1Va9LKiVtoaSprUASsXo9Otqwh/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability rashbi (Apr 19)