[NEWS] Legato NetWorker Authentication Vulnerability
From: support@securiteam.comDate: 11/25/01
- Previous message: support@securiteam.com: "[UNIX] Berkeley pmake Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Legato NetWorker Authentication Vulnerability Message-Id: <20011124231700.3D304138BF@mail.der-keiler.de> Date: Sun, 25 Nov 2001 00:17:00 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Legato NetWorker Authentication Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://portal1.legato.com/products/networker/> Legato NetWorker is a
solution for addressing the data storage needs of large and small
heterogeneous enterprise environments. A security vulnerability in the
product allows attackers to bypass the authentication procedure of the
Legato NetWorker application.
DETAILS
Vulnerable systems:
Legato NetWorker prior to version 6.1
There is a weakness in the authentication scheme of Legato NetWorker
Software. When a client contacts the server, it announces (in clear text)
via RPC his hostname or IP address, his username and the user's groups.
Then the server tries to resolve the IP address of the machine that have
initiated the dialog, if it fails, it sends an "unknown host" answer but
does not stop the authentication process. As a result, every machine which
IP could not be resolved by the server can fake any host or user. In
addition, by this way gain then administrator privilege onto the NetWorker
admin interface.
Proof concept:
Here, we suppose that "server" is the NetWorker's server which IP is
1.2.3.4.
We are now using a machine that could communicate freely with "server"
called "intruder" which IP is A.B.C.D
Prerequisite: "server" must be unable to perform a reverse lookup for the
hostname "intruder" into an IP address (This machine is unknown in
/etc/hosts and the associated DNS zone).
Therefore, as root on "intruder", we will do the followings actions:
* Change the hostname of the machine in order to fake server's one:
# hostname server
* Fake also the resolution mechanism onto the intruder machine
Add "A.B.C.D server" into /etc/hosts
* Contact the server by 'nwadmin -s 1.2.3.4'
* Now the server thinks your are @root=40server so he will be probably
let you the admin privileges.
(You can eventually fake another user by creating this user on "intruder"
and doing a 'su')
ADDITIONAL INFORMATION
The information has been provided by <mailto:10function@netcourrier.com>
10function.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Berkeley pmake Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
