Compaq Insight Manager http server
CVE 1999-0771
CVE 1999-0772
Impact
The web server included in Compaq Insight Manager could allow
unrestricted access to the server's disk. A copy of the password file
could be retrieved and cracked, allowing an attacker to gain complete
control of the system.
Note: The red stoplight on this page indicates the highest
possible severity level for this vulnerability. The actual severity
level is indicated by the color of the dot next to the link to this
tutorial on the previous page. If the dot is red,
then this is a critical vulnerability. If the dot is
brown, then this is a potential problem which may or may not
be a vulnerability.
Background
Compaq Insight Manager is a tool which facilitates remote
monitoring and control of Compaq servers and clients. When it is
installed, the system runs a web server on port 2301.
The Problem
CVE 1999-0771
The web server spawned by Insight Manager is vulnerable to the "root
dot dot" bug. This bug gives unrestricted access to the vulnerable
server's disk. An attacker could thereby view a copy of the system
password file by entering a URL such as:
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
for a Windows NT system, or
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf
for a Novell Netware system.
(How many dots there should be is install-dependent.) The password file
could then be cracked, giving the attacker complete control over the
server.
Windows NT and Novell Netware systems running the following versions
of Insight Manager are known to be vulnerable:
- 1.2.14
- 1.2.15 (pre-release)
- 1.3.12
- 1.4.10
The following versions are known not to be vulnerable:
CVE 1999-0772
A second vulnerability in Compaq Insight Manager could allow a
remote user to shut down Insight Manager's http server by sending
it a request for a very long URL.
Resolution
The solution set for fixing the vulnerability is fairly simple.
-
If the Web-enabled version of Compaq Insight Manager isn't being used,
disable the service. If it is being used, upgrade to the non-vulnerable
version. Additionally, tighten the service's access controls so that
only read access is available via the Intranet.
-
Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\)
storing that information so that only the administrator can read it.
The corollary to this is to physically secure all backup media and ERDs
as well since they could contain the backup SAM database.
-
Use strong(er) passwords. Since this exploitation process is so easy,
and you have no way of detecting if your servers have already been compromised,
you should change all Administrator passwords immediately. On the
servers with users' accounts (not just service accounts) you should enforce
the standards for password composition, expiration and retention.
-
Novell recommends disabling rconsole access and has no fix planned. The
work-around is to simply remove the Remote NetWare Loadable Module, or
NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console.
They suspect this is not possible for most sites, so the alternative is
to closely guard your ldremote.ncf,
possibly by moving it to a different location (security by obscurity).
You should also consider using Auditcon or a similar product to audit the
use of the file and track anyone who touches it.
Where can I read more about this?
The "root dot dot" vulnerability was posted to
Bugtraq. The denial of service vulnerability was also posted to
Bugtraq.