[UNIX] Tivoli Management Framework Security Compromise
From: support@securiteam.comDate: 08/06/01
- Next message: support@securiteam.com: "[TOOL] XProbe, Active Operating System Fingerprinting"
- Previous message: support@securiteam.com: "[UNIX] phpBB Security Hole Leads to Root Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Tivoli Management Framework Security Compromise Message-Id: <20010806210530.2324613903@mail.der-keiler.de> Date: Mon, 6 Aug 2001 23:05:30 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Tivoli Management Framework Security Compromise
------------------------------------------------------------------------
SUMMARY
Tivoli management framework installation phase requires rexec (a remote
execution service). Some system administrators neglect to disable this
service after installation has been completed, and this leaves the entire
network open to attack. The following is a penetration test scenario, and
details on how rexec was used to compromise it.
DETAILS
Scenario:
Cisco PIX firewall protecting a set of Internet Web and database servers
from the Internet in a DMZ. The PIX also protected the internal machines
from the Internet. The machines in the DMZ were both NT and Unix. The
internal network had a Tivoli management station that monitored the DMZ
machines and internal machines.
Testing:
It was possible to break into an IIS server that had not been patched for
the CGI decode vulnerability. With this vulnerability, an exec program was
uploaded to Windows where the name and IP address of the sending machine
was spoofed. With this tool, it was then possible to send commands to all
other UNIX machines in the same DMZ that would be executed under the
permissions of the Tivoli management station.
Alert:
Tivoli requires Rexec (port 512) to install their managed hosts. Sometimes
this port is not closed after the installation (as instructed in the
documentation). When these hosts are connected to the Internet, this is a
huge risk. This will cause Tivoli to allow full access to all machines in
your DMZ.
Actions to be taken by administrators:
Tivoli requires rexec during the initial install of the framework only.
For the brief time it takes, to install this (single time operation) one
can disallow Internet connectivity.
ADDITIONAL INFORMATION
The information has been provided by <mailto:duc_ttape@yahoo.com> Duct
Tape and <mailto:hfarkas@us.ibm.com> Henry Farkas.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[TOOL] XProbe, Active Operating System Fingerprinting"
- Previous message: support@securiteam.com: "[UNIX] phpBB Security Hole Leads to Root Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
