[NT] Compaq Web Management Vulnerability (Secure Task Execution)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/15/04

  • Next message: SecuriTeam: "[UNIX] Mathopd Buffer Overflow (Long Path in Request)"
    To: list@securiteam.com
    Date: 15 Mar 2004 09:42:45 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Compaq Web Management Vulnerability (Secure Task Execution)
    ------------------------------------------------------------------------

    SUMMARY

    Compaq Web Management includes a number of daemons, which listen on a
    number of TCP ports, and also to SNMP requests. On port 2381, an SSL HTTP
    server runs. If the system is configured to let anonymous users to browse
    it, a common configuration, then a bug in the validation system allows
    users to upload their own certificates to be trusted by the client system.
    This would then allow that machine to be administered remotely via such
    mechanisms as Secure Task Execution.

    DETAILS

    Vulnerable Systems:
     * All known Compaq Web Management are effected. Versions 5 and 7 were
    tested.

     * All products which include vulnerable versions of HP HTTP should be
    considered effected. Including:
     * HP Insight Management Agents for Servers
     * HP Power Management
     * HP Version Control Repository Agent
     * HP Version Control Agent
     * HP Insight Manager 7
     * HP Array Configuration Utility

    This is considered to be a critical problem as Compaq Web Management is
    often installed on every machine in the enterprise.
    This bug is exploitable, and can be done over and over. No knowledge of
    the Windows version is needed to be effective. This would probably work on
    all the other systems supported by Compaq Web Management. The
    vulnerability is only present when "Anonymous Access" is enabled. By
    default, HP Web Based Management Products are configured with "Anonymous
    Access" disabled.

    Creation of a fake certificate can be done for example by using HP's
    Insight Manager 7.

    Patch Availability:
    Patch can be obtained from:
    <http://h18023.www1.hp.com/support/files/Server/us/download/20197.html>
    http://h18023.www1.hp.com/support/files/Server/us/download/20197.html.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dave@immunitysec.com> Dave
    Aitel.

    The original article can be found at:
    <http://www.immunitysec.com/downloads/hp_http.sxw.pdf>
    http://www.immunitysec.com/downloads/hp_http.sxw.pdf.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Mathopd Buffer Overflow (Long Path in Request)"

    Relevant Pages

    • [NT] SecureCRT Remote Command Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Unsafe handling of a URL handler in SecureCRT ... allowing them to control the configuration of SecureCRT. ... SecureCRT allows for 'scripting' using script languages such as VBScript ...
      (Securiteam)
    • [NEWS] UTStarcoms iAN-02EX Remote Access Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... next-generation, standards-based Voice-over-IP (VoIP) communications ... configuration leaves the ATA vulnerable to unauthorized remote access. ... This configuration makes the ATA's WAN port ...
      (Securiteam)
    • [NEWS] Configuration Disclosure on Sweex 802.11g Wireless Accesspoint/Router
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... administration username and password. ... The configuration of the access point can be 'backed-up' using TFTP from ...
      (Securiteam)
    • [TOOL] URCS - Unmanarc Remote Control Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Reverse proxy system ... Configuration over URL (Any configuration parameter can be obtained from ... Process manipulation commands ...
      (Securiteam)