| Navigational map -- for text only please go to the bottom of the page ||Back Issues|


October 18, 1999 (Vol. 21, Issue 42)

SECURITY WATCH: Backdoors in Compaq Insight Manager tool still cause headaches for security staff


By Stuart McClure & Joel Scambray

JOIN US THIS WEEK as we hop into the Wayback Machine to revisit a vulnerability in the Compaq Insight Manager (CIM) Agent. This story first made the rounds in May. (See packetstorm.securify.com/9905exploits/compaq.insight.manager.server.txt.) Another problem with CIM has cropped up that should have reminded users to patch the original hole, but based on our recent experiences, the first one is still widespread.

An old and popular trick to pull on a Web server that didn't properly limit access to system files was the "root dot dot" bug. Basically, attackers could enter a series of "../" characters in a URL and trick the server into displaying the file system from the root down. For example, the following URL entered into a browser would display a Unix system's password file:

http://target_server.com//../../../../../../../.. /etc/passwd

Most Web-server implementations have fixed this problem, but in a classic case of "you never know when that old exploit will hit you again," companies that installed the Web component of CIM discovered that those systems were running a Web server that was vulnerable to "root dot dot." By simply connecting to port 2301 with a Web browser, attackers could traverse the file system from the root down to display sensitive files such as http://nt_server:2301//.. /../../winnt/repair/sam._ or http://nw_ server.com:2301/../../../system/ldremote.ncf.

Traversing drives other than the Web server volume is not possible (to our knowledge). Also affected are systems with the Compaq Survey Utility Version 2.0 and later installed. Both Windows NT and NetWare systems can be affected.

This problem is a fine illustration of the complexity of modern IT operations. CIM comes preinstalled on many of Compaq's premier servers, such as the Proliant, reaching as far back as May 1998. As we discussed in a previous column, highly customized software from the OEMs are becoming increasingly visible sources of potential security issues. For details on platforms affected and fixes, see www.compaq.com/products/servers/management/security.html.

We can't emphasize enough how vulnerable this problem makes systems, even over the Internet. A trusty port scan of your network should turn up any systems listening on TCP 2301, then go to town with the patches (or just disable Web management).

The last thing CIM needed was some salt poured into this open wound, but it got just that on Sept. 3, when Compaq posted another security advisory. This one details how an NT user account that is installed by several versions of CIM Agents contained a default password. (See www.compaq.com/products/servers/management/advisory.html.)

This is as indefensible as the "root dot dot" problem. Nevertheless, Compaq officials state in an advisory: "Requiring a user account is consistent with access required by other Windows NT applications in the market today." Consistent, maybe -- but secure, no. These accounts are sitting ducks for password guessers who slobber for just such a stepping stone to a system, especially when they have factory-configured passwords. When are vendors going to learn that if they need a default account on the system then they should at least design the system to require a unique, complex password set by the user?

Picking on Compaq will certainly not make us many friends in Houston this week, but it is probably not the last vendor to be burned by a problem with the burgeoning amount of code that comes preloaded on modern systems. The simple fix: Format the drive before deploying new machines.

Next week, we'll gravitate back to the here-and-now with a discussion of the possible existence of the fabled Unix "rootkit" in NT clothing, courtesy of a new and exciting NT security-research effort. Send us your responses -- no matter how outdated -- to security_watch@infoworld.com.

Stuart McClure and Joel Scambray are consultants at Ernst & Young's eSecurity Solutions group. They have encountered numerous technologies during their 10 years in information security. They recently published the security book Hacking Exposed (Osborne/McGraw-Hill).

Copyright (c) 1999 InfoWorld Media Group Inc.

Please direct your comments to InfoWorld Electric.

| SiteMap |Search | PageOne | Conferences | Reader/Ad Services |
| Enterprise Careers | Opinions | Test Center | Features |
| Forums | Interviews | InfoWorld Print | InfoQuote |