SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   EMC NetWorker Vendors:   Legato Systems, Inc.
Legato NetWorker Backup and Storage Software Uses Weak Authentication That Permits Spoofing and Allows a Remote User to Gain Administrative Access to the Application
SecurityTracker Alert ID:  1002801
SecurityTracker URL:  http://securitytracker.com/id/1002801
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 22 2001
Impact:   User access via network

Version(s): prior to 6.1
Description:   An authentication vulnerability was reported in Legato NetWorker. A remote user can spoof another host name and user name to gain administrative access to the application.

It is reported that when a client contacts the server, the client provides its hostname or IP address in clear text via RPC, along with user name and applicable user groups. If the server cannot resolve the IP address of the client, the authentication process continues and the client can spoof the hostname of a valid host.

A demonstration exploit procedure is described in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can gain administrative access to the application in certain situations.
Solution:   No solution was available at the time of this entry.
Vendor URL:  portal2.legato.com/products/networker/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Legato Networker vulnerability


There's a weakness in the authentification scheme of Legato Networker Software prior to version 6.1.
When a client contacts the server, it announces (in clear text) via RPC his hostname or ip adress , his username and the user's groups.
Then the server tries to resolve the ip adress of the machine which have initiated the dialog, if it fails , it sends an "unknow host"
 answer but doesn't stop the authentification process.
As a result, every machine which ip coundn't be resolved by the server can fake any host or user.
And, by this way gain then administrator privilege onto the Networker admin interface.
                -------------------------------
Proof concept:
Here, we suppose that "server" is the Networker's server which IP is 1.2.3.4 .
We are now  using a machine which could communicate freely with "server" called "intruder" which IP is A.B.C.D
Prerequisite : "server" must be unable to perform a reverse lookup for the hostname "intruder" into an ip adress ( This machine is
 unknown in /etc/hosts and the associated DNS zone).

So as root on "intruder", we will do the followings actions :
#hostname server
Add "A.B.C.D server" into /etc/hosts 
nwadmin -s 1.2.3.4

(you can eventually fake another user by creating this user on "intruder" and doing a su)
(Of course you can also fake another hostname...)


Legato has been warned of this.
 
  10function

NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar...
 
Web/Wap : www.netcourrier.com
Minitel: 3615 NETCOURRIER (0,15 E TTC/min - 1,00 F TTC/min)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC