Bugtraq mailing list archives

Re: Password issue in Axent ESM 5.0.1 Console

From: blake () BOS BINDVIEW COM (Scott Blake)
Date: Fri, 14 Jan 2000 10:52:01 -0500


I don't understand what the security issue is here.  Sounds like ESM is
doing a good thing by passwording the console, but has a bug in the
password change code.  If they're using the MS Access native security,
recovering the password is trivial, so in essence there is no security
there at all.  One could make a case that there should be, but the bug in
password changing is hardly relevant to that.  Finally, tech support's
recommendation that the password be removed from the DB is perfectly
reasonable when you consider that it is utterly useless anyway.

-----
Scott Blake
blake () bos bindview com
Security Program Manager
BindView Corporation

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Todd
Sent: Wednesday, January 12, 2000 7:04 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Password issue in Axent ESM 5.0.1 Console

Axent's latest release of its ESM product was redesigned and supposedly
revamped around it's new "Management Console".  The new
management console
is based on an underlying Access Database.  The console is password
protected each time the application is launched.  However, when the user
wants to change the console password, the next time the application is
launched the database is inaccessible because the code does not
update the
password on the database file.  It is reported that contact of Axent
resulted in being told to launch the MS Access DB file and
disable password
checking.

Current thread:

Administrivia, (continued)
- - - Administrivia Elias Levy (Jan 18)
    - Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
    - ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
    - Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
    - secure-programs howto Signal 11 (Jan 09)
    - strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
    - 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
    - NIS2k Bacano (Jan 11)
    - Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
    - Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
    - Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
    - Re: NIS2k Brad Griffin (Jan 13)
    - Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)
    - Re: Misleading sense of security in Netscape Jefferson Ogata (Jan 18)
    - New MySQL Available Scott (Jan 13)
    - BindView Security Advisory: Local Promotion Vulnerability in Windows NT 4 BindView Security Advisory (Jan 13)
    - Microsoft Security Bulletin (MS00-003) Microsoft Product Security (Jan 13)
    - ICQ Buffer Overflow Exploit drew copley (Jan 11)
    - Re: ICQ Buffer Overflow Exploit Dennis W. Mattison (Little Wolf) (Jan 12)
    - Re: ICQ Buffer Overflow Exploit Michael DeSimone (Jan 13)

(Thread continues...)