home *** CD-ROM | disk | FTP | other *** search
- Date: Sun, 21 Feb 1999 21:19:42 -0500
- From: Weld Pond <weld@L0PHT.COM>
- To: BUGTRAQ@netspace.org
- Subject: Severe Security Hole in ARCserve NT agents (fwd)
-
- ---------- Forwarded message ----------
- Date: Sun, 21 Feb 1999 17:44:55 -0500
- >From: ELVIS <LEEEEEECH@msn.com>
- To: news@rootshell.com
- Cc: hotnews@l0pht.com, CAI <support@cai.com>, security@microsoft.com
- Subject: Severe Security Hole in ARCserve NT agents
-
-
- This is absolutely pathetic.
-
- You can obtain user names and passwords used by ARCserve NT agents when an
- NT system is backed up over a TCP/IP network. Usually, for complete access
- to the system, these accounts will be granted administrator rights. This
- only affects the "stock" NT agents. The Exchange and SQL backup agents
- appear to use NTLANMAN authentication (which has its own problems). There
- are probably similar exploits available over IPX/SPX and NetBEUI, but this
- note only covers TCP/IP.
-
- Set your sniffer (Network Monitor from Systems Management Server will do)
- to listen for TCP/IP packets directed to port 6050 (17A2 hex). This will
- be the ARCserve server connecting to the remote client. The third packet
- you get is the one you want.
-
- The user name will be at offset 0x00EE in clear ASCII text.
-
- The password will be at offset 0x011E. Simply XOR these bytes with the
- ASCII values of the string "Ambuf1,et(0,21)", minus quotes of course, to
- get the PLAIN TEXT password!
-
- ACK! YOU THOUGHT MICROSOFT WAS BAD!!!! GAG! BARF! These people SHOULD
- BE ASHAMED OF THEMSELVES!!!!
-
- If you bother to search, you will find "Ambuf1,et(0,21)" in no less than 17
- ARCserve EXE's and DLL's.
-
- It is suggested that all ARCserve customers cease using the NT agents
- immediately if not sooner.
-
-
