Bugtraq mailing list archives
Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Ma nagement Tool
From: ollie () DELPHISPLC COM (Ollie Whitehouse)
Date: Sat, 27 May 2000 09:44:10 +0100
Luciano, The issue we found was that if the WebShield management agent is unable to resolve your IP address to a host name (i.e. local host) it will allow you access. By resolve I mean by another of the following means: Netbios / WINS DNS A good way of testing this is to have something like ATGuard which blocks all traffic coming from your machine (i.e. browser broadcasts). So nothing is able to resolve your IP to NAME then connect to port 9999. We had both issues confirmed by Network Associates on the 22nd May 2000 by the development team/product manager. Rgds Ollie ------ Security Team Leader Delphis Consulting Plc Tel: +44 (0)20 79160200 Fax: +44 (0)20 79161620 -----Original Message----- From: Luciano Martins [mailto:luck () USSRBACK COM] Sent: Friday, May 26, 2000 5:02 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Management Tool -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 well, hello first :), we have been researching McAfee WebShield SMTP v4.5.74.0 for a long time (since the middle of march), and by default only (localhost) can connect to port 9999. So this "Authentication issue in WebShield SMTP v4.5.44 Management", has no effect on the last version released the March 15, 2000.
II. Solution ==================================================================== ======== ==== Vendor Contacted: 8-May-2000 Currently there is no vendor patch available but there is the following preventative measures:
Of course, NAI did nothing because the problem is already fixed in latest version. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com Security Team wrote:
==================================================================== ======== ==== Delphis Consulting Plc ==================================================================== ======== ==== Security Team Advisories [08/05/2000] securityteam () delphisplc com ==================================================================== ======== ==== Adv : DST2K0004b Title : Authentication issue in WebShield SMTP v4.5.44 Management Tool Author : DCIST (securityteam () delphisplc com) O/S : Microsoft Windows NT v4.0 Server (SP6) Product : NAI WebShield SMTP v4.0.5 Date : 08/05/2000 (Updated 15/05/2000) I. Description II. Solution III. Disclaimer ==================================================================== ======== ==== I. Description ==================================================================== ======== ==== Delphis Consulting Internet Security Team (DCIST) discovered the following vuln- erability in the NAI Management Agent for WebShield SMTP under Windows NT. Connecting to a machine which runs the management agent on port 9999 may allow an attacker to obtain read and write access to the configuration of a WebShield SMTP server. This appears to happen, even if the the MailCfg service is set to only allow configuration to take place from "localhost" in some configurations. The configuration data appears written to the registry before the service suffers from lack of bounds checking. This information written to the registry can be used to prevent the WebShield service from being started. Update: 15/05/2000 The configuration agent uses hostname for authentication, if the server upon which the management agent is running is unable to resolve a hostname to the IP address it will allow access by default. II. Solution ==================================================================== ======== ==== Vendor Contacted: 8-May-2000 Currently there is no vendor patch available but the following are preventative measures Delphis Consulting Internet Security Team would advise users running this service to implement. o Don't allow the service to run as SYSTEM but as a restricted user account. o Access list port 9999 on the local router or firewall to restrict access to only required machines. o Stop the management service. III. Disclaimer ==================================================================== ======== ==== THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ==================================================================== ======== ====
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOS33TK3JcbWNj6DDEQIvSQCff0TkimgvR2uzrPX0B8KWM5qOfZUAoIY4 50aMC/IqH9mcNPt8g1r7EQk4 =kegL -----END PGP SIGNATURE-----
Current thread:
- Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Ma nagement Tool Ollie Whitehouse (May 27)
- KDE: /usr/bin/kdesud, gid = 0 exploit noir (May 26)
- Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Management Tool Luciano Martins (May 27)