Compaq Insight Manager http server

CVE 1999-0771
CVE 1999-0772

Impact

The web server included in Compaq Insight Manager could allow unrestricted access to the server's disk. A copy of the password file could be retrieved and cracked, allowing an attacker to gain complete control of the system.

Note: The red stoplight on this page indicates the highest possible severity level for this vulnerability. The actual severity level is indicated by the color of the dot next to the link to this tutorial on the previous page. If the dot is red, then this is a critical vulnerability. If the dot is brown, then this is a potential problem which may or may not be a vulnerability.

Background

Compaq Insight Manager is a tool which facilitates remote monitoring and control of Compaq servers and clients. When it is installed, the system runs a web server on port 2301.

The Problem

CVE 1999-0771

The web server spawned by Insight Manager is vulnerable to the "root dot dot" bug. This bug gives unrestricted access to the vulnerable server's disk. An attacker could thereby view a copy of the system password file by entering a URL such as:

http://vulnerable-NT.com:2301/../../../winnt/repair/sam._

for a Windows NT system, or

http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

for a Novell Netware system. (How many dots there should be is install-dependent.) The password file could then be cracked, giving the attacker complete control over the server.

Windows NT and Novell Netware systems running the following versions of Insight Manager are known to be vulnerable:

The following versions are known not to be vulnerable: CVE 1999-0772

A second vulnerability in Compaq Insight Manager could allow a remote user to shut down Insight Manager's http server by sending it a request for a very long URL.

Resolution

The solution set for fixing the vulnerability is fairly simple.
  1. If the Web-enabled version of Compaq Insight Manager isn't being used, disable the service.  If it is being used, upgrade to the non-vulnerable version. Additionally, tighten the service's access controls so that only read access is available via the Intranet.
  2. Remove all backup SAM databases or properly secure the directory (C:\winnt\repair\) storing that information so that only the administrator can read it. The corollary to this is to physically secure all backup media and ERDs as well since they could contain the backup SAM database.
  3. Use strong(er) passwords. Since this exploitation process is so easy, and you have no way of detecting if your servers have already been compromised, you should change all Administrator passwords immediately. On the servers with users' accounts (not just service accounts) you should enforce the standards for password composition, expiration and retention.
  4. Novell recommends disabling rconsole access and has no fix planned. The work-around is to simply remove the Remote NetWare Loadable Module, or NLM, from memory with an UNLOAD RSPX and UNLOAD REMOTE command at the console. They suspect this is not possible for most sites, so the alternative is to closely guard your ldremote.ncf, possibly by moving it to a different location (security by obscurity). You should also consider using Auditcon or a similar product to audit the use of the file and track anyone who touches it.

  5.  

Where can I read more about this?

The "root dot dot" vulnerability was posted to Bugtraq. The denial of service vulnerability was also posted to Bugtraq.