Netopia Timbuktu Remote Access Software Lets Users Without Administrator Privileges Modify User Account Restrictions
|
|
SecurityTracker Alert ID: 1003637 |
|
SecurityTracker URL: http://securitytracker.com/id/1003637
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 22 2002
|
Impact:
Modification of system information, User access via network
|
Exploit Included: Yes
|
Version(s): Timbuktu Pro 4.5 Build 869
|
Description:
A vulnerability was reported in Netopia's Timbuktu remote access software. A user can modify user account restrictions and grant administrator privileges to known user accounts.
It is reported that Timbuktu stores user privilege configuration information in the 'tb2.plu' file, typically located in the \Programme\Timbuktu Pro\ directory. Usernames are apparently stored in clear text. Access to the file is apparently not restricted, allowing a user to replace the tb2.plu file with a file containing an arbitrary username and password combination and specifying no restrictions. This will allow the user to login with the arbitrary username and be granted full administrator privileges.
|
Impact:
A remote user with a valid login credentials can change the Timbuktu configuration file to modify a user account to grant full administrator privileges.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.netopia.com/en-us/software/products/tb2/index.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 22 Feb 2002 09:33:12 -0500
Subject: DR.Timbuktu.Database.Insecurity
|
This is a multi-part message in MIME format.
--------------0DAFC72479EC5C752A167BF8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
http://packetstorm.widexs.nl/advisories/misc/timbuktu.txt
--------------0DAFC72479EC5C752A167BF8
Content-Type: text/plain; charset=us-ascii;
name="timbuktu.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="timbuktu.txt"
o0O Digital_Rebels O0o
- Advisory #1 -
--[Facts]--
Advisory : DR.Timbuktu.Database.Insecurity
Date : 19.02.02
Application : Timbuktu Pro 4.5 Build 869
(former versions are likely to be affected, too)
Impact : Overriding User-Database
Author : Ernesto Tequila
--[Introduction]--
</snip>
For IT professionals, Timbuktu Pro means the best
remote control technology for reducing the Total
Cost of Ownership, while simultaneously increasing
productivity across the enterprise. For telecommuters,
Timbuktu is an indispensable remote collaboration and
communications tool that enables professionals to
connect to remote machines in real time.
</snap>
--[Advisory]--
Timbuktu is a Remote Access Server / Client for Windows
and Mac environments. It gives the user control over
the server according to it's restrictions set in the
User-Database of the server. All user information is
stored on the server side in a file called tb2.plu which
normally resides in <device>:\Programme\Timbuktu Pro.
Timbuktu stores the usernames in cleartext in this file
giving anyone the possibility to look up user accounts.
Even more critical is the point that this file is not
locked during the operation of the server, giving
intruders the possibility to replace the tb2.plu file
with one created at home with a known username /
password combination and no restrictions at all. After
a restart of the Timbuktu application it reads the new
user / passes from the file, granting the intruder full
administrator access!
--[Patch]--
No patch available at the moment
Check www.netopia.com for updates!
--[Contact]--
Ernesto Tequila <ernesto@digreb.de>
www.digreb.de
--[Shouts]--
..:: DigReb, HDC, THC ::..
..:: Rolex, xaitax, Lazarus, Leh, Semmel, marts, hb-man ::..
--------------0DAFC72479EC5C752A167BF8--
|
|
