Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration

[Martin O'Neal <BugTraq () corsaire com>]

-- Corsaire Limited Security Advisory --

Title: Symantec/Axent NetProwler 3.5.x database configuration
Date: 07.04.01
Application: Symantec/Axent NetProwler 3.5.x 
Environment: WinNT 
Author: Martin O'Neal [martin.oneal () corsaire com]
Audience: General distribution


-- Scope --

The aim of this document is to clearly define some issues related to 
a potentially unsound database configuration within the NetProwler 
application environment as provided by Symantec/Axent [1].


-- History --

Vendor notified: 07.04.01 
Document released: 09.05.01


-- Overview --

The latest version of the NetProwler intrusion detection product comes 
as a three-tiered architecture, consisting of agents, a management 
component, and a console. Both configuration and auditing information 
is stored within a MySQL database hosted locally on the management tier 
of the product. This database is exposed unnecessarily to potential 
network scrutiny due to being configured by default to listen to all 
local IP addresses.


-- Analysis --

The MySQL database included with the NetProwler product is used to 
store both configuration and auditing information on the management tier. 
This is accessed via an ODBC connection on the default MySQL port 
(TCP/3306).

Because it is possible to connect to the databases remotely, if the 
correct access password can be obtained (see Corsaire advisory 
010317-001a [2]), it is possible to amend the data contained within them, 
or simply delete the databases causing a denial of service in the 
management tier.

In theory, using this flaw it is feasible to disable the IDS capabilities 
of NetProwler, perform whatever attack is required, and then reconfigure
the host to its prior state.

As a proof of concept, a tool was created that simply deletes the 
NetProwler databases causing a denial of service. This was provided to 
the vendor, but will not be made freely available.. 


-- Recommendations --

The MySQL databases do not need to be accessed by remote systems, so the
MySQL engine can be configured to listen to localhost only. To do this, 
edit the c:\my.cnf file and add the following line, then restart the host:

  [MySQLd]
  bind-address=127.0.0.1


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=
    50&PID=3061537
[2] http://www.corsaire.com/advisories/010317-001a.txt


-- Revision --

Initial release.


Copyright 2001 Corsaire Limited. All rights reserved.




----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are 
confidential and intended solely for the use of the recipient(s) only. 
Any review, retransmission, dissemination or other use of, or taking 
any action in reliance upon this information by persons or entities 
other than the intended recipient(s) is prohibited. If you have 
received this e-mail in error please notify the sender immediately 
and destroy the material whether stored on a computer or otherwise. 
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are 
solely those of the author and do not necessarily represent those 
of Corsaire Limited, unless otherwise specifically stated. 
----------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF
Telephone:+44(0)1483-226000 Email:info () corsaire com