COMMAND

    ARCserve NT agents

SYSTEMS AFFECTED

    Win NT with ARCserve

PROBLEM

    Following was  posted by  Elvis.   You can  obtain user  names and
    passwords used by ARCserve NT  agents when an NT system  is backed
    up over  a TCP/IP  network.   Usually, for  complete access to the
    system, these accounts will be granted administrator rights.  This
    only affects the "stock" NT  agents.  The Exchange and  SQL backup
    agents appear to  use NTLANMAN authentication  (which has its  own
    problems).   There are  probably similar  exploits available  over
    IPX/SPX and NetBEUI, but this  note only covers TCP/IP.   Set your
    sniffer (Network Monitor from  Systems Management Server will  do)
    to listen  for TCP/IP  packets directed  to port  6050 (17A2 hex).
    This will be the ARCserve server connecting to the remote  client.
    The third packet you get is the one you want.  The user name  will
    be at offset 0x00EE in clear ASCII text.  The password will be  at
    offset 0x011E.   Simply XOR these  bytes with the  ASCII values of
    the string "Ambuf1,et(0,21)", minus  quotes of course, to  get the
    PLAIN  TEXT  password!   If  you  bother  to search, you will find
    "Ambuf1,et(0,21)" in no less than 17 ARCserve EXE's and DLL's.

SOLUTION

    Enhancements have been  made to the  ARCserve 6.5 NT  Client Agent
    security protocol.  The  updated files are available  for download
    at:

        http://support.cai.com/Download/patches/asnt/LO45599.html

    A remote install of this  agent that will incorporate the  changes
    will be available soon.