RE: [FW1] udp 2301

[Lodin, Steven {IT S~Indianapolis}]

Title: RE: [FW1] udp 2301

This was a fun one :-)

Time from thought to exploit: 4 hours

Risk Classification: High (gain administrator/rconsole access capability)
Effort to Exploit: Easy
Effort to Mitigate: Medium/Easy

See my attached writeup for more info.

Steve
--
Steve Lodin - CISSP
Manager - IT Security
Roche Diagnostics Corp
<[EMAIL PROTECTED]>
317-845-2070

 

Title: Compaq Insight Manager Vulnerability and Exploit

 

Security Issue: Exploiting Compaq Insight Manager to Gain Administrator Access

Time from thought to exploit: 4 hours

Risk Classification: High (gain administrator/rconsole access capability)
Effort to Exploit: Easy
Effort to Mitigate: Medium/Easy
Sphere of vulnerability:

Steps to Exploit:

1. Learn.  Read about Compaq Insight Manager vulnerability at SecurityFocus.  Find the Compaq Insight Manager vulnerability by searching BugTraq mailing list archives.

Infosec Security Vulnerability Report
No: Infosec.19990526.compaq-im.a
=====================================

Vulnerability Summary
---------------------

Problem:  The web server included in Compaq Insight
               Manager could expose sensitive information.

Threat:   Anyone that have access to port 2301 where
               Compaq Insight Manager is installed could get
               unrestricted access to the servers disk through
               the "root dot dot" bug.

Platform: Detected on Windows NT and Novell Netware servers
               running on Compaq hardware.

Solution: Disable the Compaq Insight Manager web server or
               restrict anonymous access.
 

Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This
bug gives unrestricted access to the vulnerable server's disk. It could easily
get exploited with one of the URLs:

http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

(How many dots there should be is install-dependent)
 

Solution
--------
You could probably fix the problem by restricting anonymous access to the Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.
 

2. Reconnaissance.  Scan the network to identify all machines running the Compaq Insight Manager using the network mapping tool called nmap.  The scan of the entire Class B network took 3032 seconds and scanned 4077 hosts to find 51 instances of Compaq Insight Manager running on campus.

nmap -p 2301 (Address)/16

3. Test.  Testing for the vulnerability yields the following version/status information:

Compaq Insight Manager Version	Status	Percentage of Total
Compaq HTTP Server 1.2.14	Vulnerable	14/51 = 27%
Compaq HTTP Server 1.2.15 (pre-release)	Vulnerable	7/51 = 14%
Compaq HTTP Server 1.3.12	Vulnerable	2/51 = 4%
Compaq HTTP Server 1.4.10	Vulnerable	12/51 = 24%
Compaq HTTP Server 1.5.3	OK	12/51 = 24%
Compaq HTTP Server 2.0.8	OK	1/51 = 2%
Unknown	Unknown	3/51 = 6%
Total Vulnerable		35/51 = 69%

4. Exploit.  Exploiting the vulnerability takes a few steps, but can be accomplished fairly quickly.  Essentially, for Windows NT, the unprotected backup SAM file (found in C:\winnt\repair\sam._) will be copied to the local PC from the server running Compaq Insight Manager so the passwords on that server can be cracked.  The SAM file contains user login names and the associated passwords encrypted.  (Note, these passwords can even be cracked by a PalmPilot given enough time and batteries.)  If we are lucky, we will get the Administrator password.  For Netware, copy the ldremote file (found in \System\ldremote.ncf) to the local PC from the server running Compaq Insight manager so the rconsole password can be cracked.  Once the passwords are cracked, the box is owned by the hacker!

Microsoft Windows NT	Novell Netware
Using the correct URL, do a File -> Save Target As in Internet Explorer to save the sam._ file from the server to the local PC.	Using the correct URL, do a File -> Save Target As in Internet Explorer to save the ldremote.ncf file from the server to the local PC.
Uncompress the file by using the expand command. expand sam._ sam.server	Find the Remote.NLM password decryption tool at PacketStorm.  Run REMOTE.EXE with the encrypted password string as the argument to decrypt the rconsole password immediately.
Using L0phtCrack, load the SAM file and start cracking.  Find approximately 25% immediately.  Let run overnight to get most/all passwords.	Exploit the password by...
Exploit the passwords found by mounting the server's drive, reading files, crashing the server, installing Trojan Horses/viruses

Success Statistics:

• NT
• Administrator Passwords - approximately 90%
• All Passwords - approximately 75%
• Netware
• Rconsole passwords - 100%

Steps to Fix:

Fundamentally, there are two security tenants that were not followed, which led to this exposure:

1. If you don't use it, disable it!  For all those services that are running by default on the server (both UNIX and NT are problematic here), determine whether it is being used or not.  If it is being used, then figure out how to properly configure and secure the service.  If it is NOT BEING USED, then DISABLE IT!
2. Stay vigilant!  Watch for security vulnerabilities and exploits for the software services and hardware platforms in use.  We need to watch the hacker lists as well as the vendor announcements.  This particular Compaq Insight Manager vulnerability was announced in May 1999 and Compaq provided a fix in June 1999.  We missed both the announcement of the vulnerability and the fix from Compaq.  The issue about leaving backup copies of the SAM database has been around forever, and the issue of cracking the password in the ldremote.ncf file was published in April 1999.

The solution set for fixing the vulnerability is fairly simple.

1. If the Web-enabled version of Compaq Insight Manager isn't being used, disable the service.  If it is being used, upgrade to the non-vulnerable version.  Additionally, tighten the service's access controls so that only read access is available via the Intranet.
2. Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\) storing that information so that only the administrator can read it.  The corollary to this is to physically secure all backup media and ERDs as well since they could contain the backup SAM database.
3. Use strong(er) passwords.  The standard NT desktop Administrator password is cracked in less than 1 second and many of the NT server Administrator passwords were cracked almost as quick.  Since this exploitation process is so easy, and we have no way of detecting if our servers have already been compromised, we should change all Administrator passwords immediately.  On the servers with users accounts (not just service accounts) we should enforce the standards for password composition, expiration and retention.
4. Novell recommends disabling rconsole access and has no fix planned. The work-around is to simply remove the Remote NetWare Loadable Module, or NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console. We suspect this is not possible for most sites, so the alternative is to closely guard our ldremote.ncf, possibly by moving it to a different location (security by obscurity).  We should also consider using Auditcon or a similar product to audit the use of the file and track anyone who touches it.