iPlanet Calendar Server May Disclose Administrator Name and Password to Local Users
|
SecurityTracker Alert ID: 1001356 |
SecurityTracker URL: http://securitytracker.com/id/1001356
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 18 2001
|
Impact:
Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): 5.0p2
|
Description:
It is reported that the default installation of the iPlanet Calendar Server stores the NAS LDAP admin username and password in plaintext in a world readable file, allowing local users to gain administrator access to the calendar server.
The file used is:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18 /opt/SUNWics5/cal/bin/config/ics.conf
The authentication data is stored in the following fields:
local.authldapbinddn (username)
local.authldapbindcred (password)
This reportedly could give a local user full read/write access to the underlying NAS LDAP database (which is normally used for admin facilities such as storing user / group profiles, passwords, ACLs, SSL certificates and/or other sensitive company information), and full administrative control of the local NAS server.
The vendor has reportedly been notified.
|
Impact:
A local user could gain read/write access to the LDAP database.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.iplanet.com/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS: UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: iplanet calendar server 5.0p2 exposes Netscape Admin Server
|
at the time of writing, 5.0p2 is the currently available revision on
iplanet's download site.
the problem:
the standard install of iPlanet Calendar server stores the NAS LDAP
admin username and password in plaintext in the world readable file:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18
/opt/SUNWics5/cal/bin/config/ics.conf
in the fields
local.authldapbinddn (username)
and
local.authldapbindcred (password)
this potentially gives all local users full read/write access to the
underlying NAS LDAP database (which is normally used for admin
facilities such as storing user / group profiles, passwords, ACLs, SSL
certificates and/or other sensitive company information), and full
administrative control of the local NAS server. this access could in
turn lead to compromise of other facilities such as web/e-commerce
sites, directories etc.
i believe that the default install of the underlying NAS LDAP server and
associated administration packages allow remote admin via tcp/ip, so
other remote compromises that allow reading of world readable files (or
any other disclosures of the above file contents) could lead to full
remote read/write access of the NAS LDAP database and full remote
administrative control of the server.
this was reported to iplanet at the end of february 2001, who requested
i submit it to netscape's online bug-tracking system which i did on 3rd
march. i have heard nothing from them since. i have not personally
investigated or tested any fix for this.
enjoy,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
|
|