compaq.insight.manager.server.txt

`Date: Wed, 26 May 1999 16:41:36 +0100  
From: [email protected]  
To: [email protected]  
Subject: Infosec.19990526.compaq-im.a  
  
Infosec Security Vulnerability Report  
No: Infosec.19990526.compaq-im.a  
=====================================  
  
Vulnerability Summary  
---------------------  
  
Problem: The web server included in Compaq Insight  
Manager could expose sensitive information.  
  
Threat: Anyone that have access to port 2301 where  
Compaq Insight Manager is installed could get  
unrestricted access to the servers disk through  
the "root dot dot" bug.  
  
Platform: Detected on Windows NT and Novell Netware servers  
running on Compaq hardware.  
  
Solution: Disable the Compaq Insight Manager web server or  
restrict anonymous access.  
  
  
Vulnerability Description  
-------------------------  
When installing Compaq Insight Manager a web server gets installed. This web  
server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This  
bug gives unrestricted access to the vulnerable server?s disk. It could easily  
get exploited with one of the URLs:  
  
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._  
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf  
  
(How many dots there should be is install-dependent)  
  
  
Solution  
--------  
You could probably fix the problem by restricting anonymous access to the Compaq  
Insight Manager web server. If you are not using the web server, Infosec  
recommends disabling the service.  
  
  
Background  
----------  
Infosec gives the credits to Master Dogen who first reported the problem  
(Windows NT and Compaq Insight Manager) to us and wanted us go public with a  
vulnerability report.  
  
Infosec have found that Novell Netware with Compaq Insight Manager have the same  
problem but is not as common as on Windows NT.  
  
Compaq Sweden was informed about this problem april 26, 1999.  
  
  
//Gabriel Sandberg, Infosec  
[email protected]  
  
------------------------------------------------------------------------------  
  
Date: Wed, 26 May 1999 16:13:19 -0500  
From: Vacuum <[email protected]>  
To: [email protected]  
Subject: Re: Infosec.19990526.compaq-im.a  
  
Please disgregard previous post, the signature got in the way of a paste  
  
  
In addition to //Gabriel Sandberg, Infosec [email protected]'s  
findings.  
  
Web-Based Management is enabled, by default, when you install the Compaq  
Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled  
Compaq Server Management Agents allow you to view subsystem and status  
information from a web browser, either locally or remotely. Web-enabled  
Service Management Agents are availible in all 4.x versions of Insight  
Manager.  
  
Compaq HTTP Server Version 1.2.15 (Pre-Release)  
  
  
The only user accounts available in the Compaq Server Management  
Agent WEBEM release are listed below.  
  
  
http://111.111.111.111:2301/cpqlogin.htm  
  
account anonymous  
username anonymous  
password  
  
account user  
username user  
password public  
  
account operator  
username operator  
password operator  
  
account administrator  
username administrator  
password administrator  
  
http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes  
is the url used to change the password. Unfortunately the password is  
the only information that can be changed and is stored in  
clear text in the following file.  
  
c:\compaq\wbem\cpqhmmd.acl  
-------------------------------------------------------------------------------------  
Compaq-WBEM-AclFile, 1.1  
anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F  
login in progress... login in progress...  
7A21DD9917C0C23907267FC07DBC7D12  
administrator administrator D6022D9B3FCA717CCEED36E640160478  
51B02137D6BF719FC62F4940DBE1F3E6  
operator operator B5CE548356D1BEA5F1CFEE12FE9502C3  
041D1015AEC9F60412C7F86E62D6672C  
user user  
EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A  
  
Once you have found one wbem enabled machine, using compaq's HTTP  
Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm  
It is trivial to locate other machines.  
  
------------------------------------------------------------------------------  
  
Date: Thu, 27 May 1999 21:43:09 -0500  
From: Vacuum <[email protected]>  
To: [email protected]  
Subject: Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post)  
  
Upon further research, I must retract my earlier statement that the  
Compaq Insight Manager Web Agent's passwords are stored in clear text.  
Infact, what we see in cpqhmmd.acl are the account name and username in  
clear text NOT the password.  
  
Explanation of username and password combinations mentioned in my previous  
post.  
  
c:\compaq\wbem\cpqhmmd.acl  
or  
http://111.111.111.111:2301/../../../compaq/wbem/cpqhmmd.acl  
cpqhmmd.acl contents:  
Compaq-WBEM-AclFile, 1.1  
anonymousanonymous737EEEFA7617ED94EDD74E659B83035F  
login in progress...login in progress...7A21DD9917C0C23907267FC07DBC7D12  
administratoradministrator37741E7AC5B9871F87CE6ABE15B28FCB070293B3998C461D866E277A259619F0  
operatoroperatorB5CE548356D1BEA5F1CFEE12FE9502C3041D1015AEC9F60412C7F86E62D6672C  
useruserEC286E733A8892ADFC895611D1557557C865DE636CA398F8523EDBE5700D457A  
  
The default usernames and password combinations that I mentioned in my  
previous  
post are still valid.  
  
Once again these are the defaults: account: anonymous username: anonymous  
password:  
account: user username: user password: public  
account: operator username: operator password: operator  
account: administrator username: administrator password: administrator  
  
There are three types of data:  
Default(read only), Sets(read/write), and Reboot(read/write).  
The WebAgent.ini file in the system_root\CpqMgmt\WebAgent directory  
specifies the level  
of user that has access to data . The "read=" and "write=" entries in the  
file set the  
user accounts required for access, where: 0 = No access, 1 = Anonymous, 2  
= User,  
3 = Operator, and 4 = Administrator.  
Changing these entries changes the security. The web-enabled Server Agent  
service must  
be stopped and restarted for any changes to take effect. Do not modify  
anything except  
the read/write levels.  
  
New Denial of service:  
  
Just to make this post somewhat worthwile.  
http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the  
minimum)  
  
The first time this occurs, an application error occurs in surveyor.exe  
Exception: access violation (0xc0000005), Address: 0x100333e5  
  
If you restart the Insight Web Agent Service and repeat it  
will cause an application error in cpqwmget.exe  
Exception: access violation(0xc0000005), Address 0x002486d4  
  
The http://111.111.111.111 will no longer respond until the service is  
stopped and restarted.  
  
Apologies for my previous error.  
vac  
  
------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 08:54:10 -0400  
From: Ricky Mitchell <[email protected]>  
To: [email protected]  
Subject: second compaq insight manager vulnerablilty  
  
Greetings,  
  
Yesterday while I was removing the "web insight agent" service from the our  
vulnerable NT servers, I noticed on some machines that port 2301 was still  
vulnerable. To completely remove the problem, make sure you also stop the  
"surveryor" service as well if you have that installed. That will  
completely shut off access to port 2301 and plug the hole.  
  
Regards,  
  
Rick Mitchell  
NT administrator  
Columbia Gas Transmission Corp  
  
------------------------------------------------------------------------------  
  
Date: Mon, 7 Jun 1999 10:28:22 -0400  
From: Andrew Kunz <[email protected]>  
To: [email protected]  
Subject: Update on compaq webadmin  
  
Look what compaq figured out <grin>  
  
  
For Immediate Release 1 June 7, 1999  
Compaq Computer Corporation  
Compaq Security Advisory  
Posted: June 7, 1999  
Compaq Management Agent Security Vulnerability  
  
Summary  
As part of an ongoing concern about security and Internet technology, Compaq has identified a potential  
security hole in the web-enabled portion of Compaq Management Agents and the Compaq Survey Utility  
when installed as an agent. This security hole can allow read access to files whose location and filename  
are known or be used to terminate the process controlling the web agents. This affects the web component  
of Compaq Management Agents version 4.0 and greater and the Compaq Survey Utility version 2.0 and  
greater when installed as an agent. SNMP and DMI components without the web capability enabled  
are not affected.  
While there are no reports of customers being adversely affected by this vulnerability, Compaq is  
proactively releasing this bulletin to allow customers to take appropriate action to protect themselves  
against it.  
  
Issue  
The web component of Compaq Management Agents version 4.0 and greater and Compaq Survey Utility  
2.0 and greater provide HTTP services to allow management information to be accessible through a web  
browser. Compaq has always advocated that these agents and utilities be deployed only in private networks  
and were not for use on the Internet or systems outside the bounds of a firewall. Because of this, Compaq  
believes that the primary threat is an internal one.  
These agents have been discovered to be vulnerable to a file read security hole which allows files whose  
location and name are known to be read on the file system on which the agents are installed and an  
overflow security hole that potentially terminates the web agent process. In some cases with Novell  
NetWare it has caused the server to stop responding.  
  
Affected Software Versions  
This affects the web component of all Compaq Management Agents 4.0 and greater running with Windows  
NT, Windows 9x, Windows 2000, NetWare and Tru64 Unix. Additionally affected is the Compaq Survey  
Utility 2.0 and greater when installed as an agent on Windows NT or NetWare.  
  
Agent software affected  
includes those installed on ProLiant and Prosignia servers (since May, 1998), AlphaServers with Windows  
NT (since October, 1998), AlphaServers with Tru64 Unix (since May, 1999), DIGITAL Intel Servers  
(since October, 1998), Professional Workstations (since May, 1998), Deskpro and Prosignia desktops  
(since September, 1998), and Armada and Prosignia portables (since September, 1998). A complete matrix  
can be found at the end of this document. Compaq Management Agents for SCO Unix, UnixWare and  
OpenServer, IBM OS/2 and Compaq OpenVMS are not affected in any way.  
  
What Compaq is doing  
Compaq is actively pursuing the testing and release of a software fix to the problem. This will be initially  
released as a new version 4.23b of the Server Management Agents and a new version 2.18 of the Survey  
Utility. The Client Management Agent which is pre-installed at the factory will become version 4.3. A  
SoftPAQ with the Client Management Agent 4.2C will be issued with the fix.  
  
  
  
  
--  
Andrew Kunz  
Telecom Analyst  
Central Computing Facility  
TDIT Server Technology  
mailto:[email protected]  
phone (416) 983-9027  
pager (416) 375-8427  
[email protected]  
-------------------------------------------  
  
`