Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tivoli Management Framework Alert!!!

From: Duct Tape <duc_ttape () yahoo com>
Date: Fri, 3 Aug 2001 09:02:07 -0700 (PDT)
After conducting the penetration testing, we were able to gain full
access to other machines inside a customer's dmz network because of
Tivoli!!!

Scenario:

Cisco PIX firewall protecting a set of Internet Web and database
servers from the Internet in a dmz.  The PIX also protected the
internal machines from the Internet.  The machines in the dmz were both
NT and Unix.  The internal network had a Tivoli management station
which monitored the dmz machines and internal machines.

Testing:

We were able to break into an IIS server that hadn't been patched for
the CGI decode vulnerability.  With this vulnerability we could upload
an exec program on Windows where we could spoof the name and IP address
of the sending machine.  With this tool we could send commands to all
other Unix machines in the same dmz that would be executed under the
permissions of the Tivoli management station.

Alert:

Tivoli requires Rexec (port 512) to run on their managed hosts.  When
these hosts are connected to the Internet, there is a huge risk Tivoli
will allow full access to all machines in your DMZ.

Actions to be taken by Admins:

Disable Tivoli monitoring from dmz machines until IBM fixes the
problem.

Requests to IBM:

Have you ever heard of SSH?  Remove rexec from all Tivoli product
requirements and replace with SSH.

Follow up:

We are still looking at vulnerabilities in CORBA 1.1 and port 94. 
Anyone with vulnerability knowledge in either, please forward to Duct
Tape.


I am curious about doing some penetration testing on a site who has
Tivoli installed on their Internet web servers.  Based upon some IBM
Redbook documentation on Tivoli, it looks like Tivoli requires many
ports need to be opened, 94, 512 (exec), and all above 1024.

If this is true and if I can take over one of their IIS servers,
shouldn't I be able to use these Tivoli ports to take over any other
server especially those Unix machines with exec running on them?  I'm
also curious about any vulnerabilities found in version 1.1 of CORBA
because this technology is what Tivoli is built upon according to

IBM's

documents.  Port 94 has something to do with these CORBA calls.




=====
duc_ttape () yahoo com
Duct Tape: I have a light side and a dark side,
and I hold my universe together.

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: