Novell NetIQ Privileged User Manager modifyAccounts Security Bypass

2012-12-07T00:00:00
ID SAINT:6E4D50D4E6E1BDFDF26E987B301FA646
Type saint
Reporter SAINT Corporation
Modified 2012-12-07T00:00:00

Description

Added: 12/07/2012
BID: 56535
OSVDB: 87335

Background

Novell NetIQ Privileged User Manager (NPUM) allows IT administrators to work on systems without exposing superuser (administrator or supervisor) passwords or root-account credentials to the administrator.

Problem

NetIQ Privileged User Manager 2.3.1 and earlier are vulnerable to an unauthenticated password reset vulnerability as a result of an error in the pa_modify_accounts() function of the auth.dll module. An attacker may reset the admin password and use the admin account to upload malicious files that they can execute on the server with SYSTEM privileges.

Resolution

Contact the vendor for a fix. Restrict network access to the NetIQ Privileged User Manager service to users of the system.

References

<http://retrogod.altervista.org/9sg_novell_netiq_i_adv.htm>
<https://www.netiq.com/products/privileged-user-manager/>

Limitations

This exploit has been tested against Novell Privileged User Manager 2.3.1 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut).

This exploit changes the password for the admin account.

Exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>.

Platforms

Windows