Compaq Insight Manager Vulnerability and Exploit  

Security Issue: Exploiting Compaq Insight Manager to Gain Administrator Access

Time from thought to exploit: 4 hours

Risk Classification: High (gain administrator/rconsole access capability)
Effort to Exploit: Easy
Effort to Mitigate: Medium/Easy
Sphere of vulnerability: Any network-attached device that can access port 2301

Steps to Exploit:

  1. Learn.  Read about Compaq Insight Manager vulnerability at SecurityFocus.  Find the Compaq Insight Manager vulnerability by searching BugTraq mailing list archives.
    Infosec Security Vulnerability Report
    No: Infosec.19990526.compaq-im.a
    =====================================

    Vulnerability Summary
    ---------------------

    Problem:  The web server included in Compaq Insight
                   Manager could expose sensitive information.

    Threat:   Anyone that have access to port 2301 where
                   Compaq Insight Manager is installed could get
                   unrestricted access to the servers disk through
                   the "root dot dot" bug.

    Platform: Detected on Windows NT and Novell Netware servers
                   running on Compaq hardware.

    Solution: Disable the Compaq Insight Manager web server or
                   restrict anonymous access.
     

    Vulnerability Description
    -------------------------
    When installing Compaq Insight Manager a web server gets installed. This web
    server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This
    bug gives unrestricted access to the vulnerable server's disk. It could easily
    get exploited with one of the URLs:

    http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
    http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

    (How many dots there should be is install-dependent)
     

    Solution
    --------
    You could probably fix the problem by restricting anonymous access to the Compaq
    Insight Manager web server. If you are not using the web server, Infosec
    recommends disabling the service.
     

  1. Reconnaissance.  Scan the network to identify all machines running the Compaq Insight Manager using the network mapping tool called nmap.
  2. nmap -p 2301 (Address)/16
  1. Test.  Testing for the vulnerability yields the following version/status information:

Compaq Insight Manager Version

Status

Compaq HTTP Server 1.2.14 Vulnerable
Compaq HTTP Server 1.2.15 (pre-release) Vulnerable
Compaq HTTP Server 1.3.12 Vulnerable
Compaq HTTP Server 1.4.10 Vulnerable
Compaq HTTP Server 1.5.3 OK
Compaq HTTP Server 2.0.8 OK
  1. Exploit.  Exploiting the vulnerability takes a few steps, but can be accomplished fairly quickly.  Essentially, for Windows NT, the unprotected backup SAM file (found in C:\winnt\repair\sam._) will be copied to the local PC from the server running Compaq Insight Manager so the passwords on that server can be cracked.  The SAM file contains user login names and the associated passwords encrypted.  (Note, these passwords can even be cracked by a PalmPilot given enough time and batteries.)  If you are lucky, you will get the Administrator password.  For Netware, copy the ldremote file (found in \System\ldremote.ncf) to the local PC from the server running Compaq Insight manager so the rconsole password can be cracked.  Once the passwords are cracked, the box is owned by the hacker!

Microsoft Windows NT

Novell Netware

Using the correct URL, do a File -> Save Target As in Internet Explorer to save the sam._ file from the server to the local PC. Using the correct URL, do a File -> Save Target As in Internet Explorer to save the ldremote.ncf file from the server to the local PC.
Uncompress the file by using the expand command.
expand sam._ sam.server
Find the Remote.NLM password decryption tool at PacketStorm.  Run REMOTE.EXE with the encrypted password string as the argument to decrypt the rconsole password immediately.
Using L0phtCrack, load the SAM file and start cracking.  Find approximately 25% immediately.  Let run overnight to get most/all passwords.  Exploit the password by...
Exploit the passwords found by mounting the server's drive, reading files, crashing the server, installing Trojan Horses/viruses  

Success Statistics:

Steps to Fix:

Fundamentally, there are two security tenants that were not followed, which led to this exposure:
  1. If you don't use it, disable it!  For all those services that are running by default on the server (both UNIX and NT are problematic here), determine whether it is being used or not.  If it is being used, then figure out how to properly configure and secure the service.  If it is NOT BEING USED, then DISABLE IT!
  2. Stay vigilant!  Watch for security vulnerabilities and exploits for the software services and hardware platforms in use.  You need to watch the hacker lists as well as the vendor announcements.  This particular Compaq Insight Manager vulnerability was announced in May 1999 and Compaq provided a fix in June 1999.  Hopefully, you didn't miss both the announcement of the vulnerability and the fix from Compaq.  The issue about leaving backup copies of the SAM database has been around forever, and the issue of cracking the password in the ldremote.ncf file was published in April 1999.
The solution set for fixing the vulnerability is fairly simple.
  1. If the Web-enabled version of Compaq Insight Manager isn't being used, disable the service.  If it is being used, upgrade to the non-vulnerable version.  Additionally, tighten the service's access controls so that only read access is available via the Intranet.
  2. Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\) storing that information so that only the administrator can read it.  The corollary to this is to physically secure all backup media and ERDs as well since they could contain the backup SAM database.
  3. Use strong(er) passwords.  Since this exploitation process is so easy, and you have no way of detecting if your servers have already been compromised, you should change all Administrator passwords immediately.  On the servers with users accounts (not just service accounts) you should enforce the standards for password composition, expiration and retention.
  4. Novell recommends disabling rconsole access and has no fix planned. The work-around is to simply remove the Remote NetWare Loadable Module, or NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console. They suspect this is not possible for most sites, so the alternative is to closely guard your ldremote.ncf, possibly by moving it to a different location (security by obscurity).  You should also consider using Auditcon or a similar product to audit the use of the file and track anyone who touches it.

  5.  

CVE References(s):