SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   iPlanet Calendar Server Vendors:   Netscape, Sun
iPlanet Calendar Server May Disclose Administrator Name and Password to Local Users
SecurityTracker Alert ID:  1001356
SecurityTracker URL:  http://securitytracker.com/id/1001356
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 18 2001
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 5.0p2
Description:   It is reported that the default installation of the iPlanet Calendar Server stores the NAS LDAP admin username and password in plaintext in a world readable file, allowing local users to gain administrator access to the calendar server.

The file used is:

-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18 /opt/SUNWics5/cal/bin/config/ics.conf

The authentication data is stored in the following fields:

local.authldapbinddn (username)
local.authldapbindcred (password)

This reportedly could give a local user full read/write access to the underlying NAS LDAP database (which is normally used for admin facilities such as storing user / group profiles, passwords, ACLs, SSL certificates and/or other sensitive company information), and full administrative control of the local NAS server.

The vendor has reportedly been notified.
Impact:   A local user could gain read/write access to the LDAP database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.iplanet.com/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT)

Message History:   None.

 Source Message Contents
Subject:  iplanet calendar server 5.0p2 exposes Netscape Admin Server


at the time of writing, 5.0p2 is the currently available revision on
iplanet's download site.

the problem:

the standard install of iPlanet Calendar server stores the NAS LDAP
admin username and password in plaintext in the world readable file:

-rw-r--r--   1 icsuser  icsgroup   37882 Feb 20 10:18
/opt/SUNWics5/cal/bin/config/ics.conf

in the fields

  local.authldapbinddn (username)

and

  local.authldapbindcred (password)

this potentially gives all local users full read/write access to the
underlying NAS LDAP database (which is normally used for admin
facilities such as storing user / group profiles, passwords, ACLs, SSL
certificates and/or other sensitive company information), and full
administrative control of the local NAS server. this access could in
turn lead to compromise of other facilities such as web/e-commerce
sites, directories etc.

i believe that the default install of the underlying NAS LDAP server and
associated administration packages allow remote admin via tcp/ip, so
other remote compromises that allow reading of world readable files (or
any other disclosures of the above file contents) could lead to full
remote read/write access of the NAS LDAP database and full remote
administrative control of the server.

this was reported to iplanet at the end of february 2001, who requested
i submit it to netscape's online bug-tracking system which i did on 3rd
march. i have heard nothing from them since. i have not personally
investigated or tested any fix for this.

enjoy,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
Voysey House                  http://www.thebunker.net
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC