Firewall Wizards mailing list archives
Re: Infosec.19990526.compaq-im.a (fwd)
From: Misha <misha () insync net>
Date: Wed, 2 Jun 1999 02:42:42 -0500 (CDT)
if this is a Compaq box, this might be the survey utility, which is used to inspect and report system configuration for support purposes. It gathers hardware and software information and saves it as a history of multiple sessions in a single configuration history file.
Survey.exe pegged the CPU at 100% when I tried to disable the Compaq Insight Manager a couple of months ago, while locking down some IIS machines. It looked like it was enumerating quite a few registry keys, as well as hardware info and other information it shouldnt have been getting, for web based management. I have included the recent advisory on Insight Manager from Bugraq. You should be able to find the complete archives on the Bugtraq site. I would disable any vendor managent tools on any production machines as soon as possible. Misha Insync Internet Services ---------- Forwarded message ---------- Date: Wed, 26 May 1999 16:13:19-0500 From: Vacuum <vacuum () SWORD DAMOCLES COM> To: BUGTRAQ () netspace org Subject: Re: Infosec.19990526.compaq-im.a Vulnerability Summary --------------------- Problem: The web server included in Compaq Insight Manager could expose sensitive information. Threat: Anyone that have access to port 2301 where Compaq Insight Manager is installed could get unrestricted access to the servers disk through the "root dot dot" bug. Platform: Detected on Windows NT and Novell Netware servers running on Compaq hardware. Solution: Disable the Compaq Insight Manager web server or restrict anonymous access. Vulnerability Description ------------------------- When installing Compaq Insight Manager a web server gets installed. This web server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This bug gives unrestricted access to the vulnerable server?s disk. It could easily get exploited with one of the URLs: http://vulnerable-NT.com:2301/../../../winnt/repair/sam._ http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf Solution -------- You could probably fix the problem by restricting anonymous access to the Compaq Insight Manager web server. If you are not using the web server, Infosec recommends disabling the service. Background ---------- Infosec gives the credits to Master Dogen who first reported the problem (Windows NT and Compaq Insight Manager) to us and wanted us go public with a vulnerability report. Infosec have found that Novell Netware with Compaq Insight Manager have the same problem but is not as common as on Windows NT. Compaq Sweden was informed about this problem april 26, 1999 ---------- Forwarded message ---------- Date: Wed, 26 May 1999 16:13:19-0500 From: Vacuum <vacuum () SWORD DAMOCLES COM> To: BUGTRAQ () netspace org Subject: Re: Infosec.19990526.compaq-im.a Please disgregard previous post, the signature got in the way of a paste In addition to //Gabriel Sandberg, Infosec gabriel.sandberg () infosec se's findings. Web-Based Management is enabled, by default, when you install the Compaq Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled Compaq Server Management Agents allow you to view subsystem and status information from a web browser, either locally or remotely. Web-enabled Service Management Agents are availible in all 4.x versions of Insight Manager. Compaq HTTP Server Version 1.2.15 (Pre-Release) The only user accounts available in the Compaq Server Management Agent WEBEM release are listed below. http://111.111.111.111:2301/cpqlogin.htm account anonymous username anonymous password account user username user password public account operator username operator password operator account administrator username administrator password administrator http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes is the url used to change the password. Unfortunately the password is the only information that can be changed and is stored in clear text in the following file. c:\compaq\wbem\cpqhmmd.acl ------------------------------------------------------------------------------------- Compaq-WBEM-AclFile, 1.1 anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F login in progress... login in progress... 7A21DD9917C0C23907267FC07DBC7D12 administrator administrator D6022D9B3FCA717CCEED36E640160478 51B02137D6BF719FC62F4940DBE1F3E6 operator operator B5CE548356D1BEA5F1CFEE12FE9502C3 041D1015AEC9F60412C7F86E62D6672C user user EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A Once you have found one wbem enabled machine, using compaq's HTTP Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm It is trivial to locate other machines.
Current thread:
- Re: Infosec.19990526.compaq-im.a (fwd) Misha (Jun 03)