COMMAND

    Compaq Insight Manager

SYSTEMS AFFECTED

    WinNT and Novell Netware servers running on Compaq hardware

PROBLEM

    Following ia  based on  Infosec Security  Vulnerability Report  by
    Gabriel  Sandberg.   The  web  server  included  in Compaq Insight
    Manager  could  expose  sensitive  information.   Anyone that have
    access  to  port  2301  where  Compaq Insight Manager is installed
    could  get  unrestricted  access  to  the servers disk through the
    "root dot dot" bug.

    When  installing  Compaq  Insight   Manager  a  web  server   gets
    installed.  This web server runs on port 2301 and is vulnerable to
    the old "root dot dot" bug.  This bug gives unrestricted access to
    the vulnerable server?s disk.  It could easily get  exploited with
    one of the URLs:

        http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
        http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf

    (How many  dots there  should be  is install-dependent).   Infosec
    gives the credits to Master Dogen who first reported the problem.

    Vacuum  added  following.   Web-Based  Management  is  enabled, by
    default, when you install the Compaq Server Management Agents  for
    Windows NT.(CPQWMGMT.EXE) The web-enabled Compaq Server Management
    Agents allow you to view  subsystem and status information from  a
    web  browser,  either  locally  or  remotely.  Web-enabled Service
    Management Agents  are availible  in all  4.x versions  of Insight
    Manager.   Compaq HTTP  Server Version  1.2.15 (Pre-Release);  the
    only  user  accounts  available  in  the  Compaq Server Management
    Agent WEBEM release are listed below.

        http://111.111.111.111:2301/cpqlogin.htm

        account anonymous
        username anonymous
        password

        account user
        username user
        password public

        account operator
        username operator
        password operator

        account administrator
        username administrator
        password administrator

       http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes

    is  the  url  used  to  change  the  password.   Unfortunately the
    password is the only information that can be changed and is stored
    in some kind of chiper text in the c:\compaq\wbem\cpqhmmd.acl:

        Compaq-WBEM-AclFile, 1.1
              anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F
              login in progress...  login in progress...
        7A21DD9917C0C23907267FC07DBC7D12
              administrator administrator D6022D9B3FCA717CCEED36E640160478
        51B02137D6BF719FC62F4940DBE1F3E6
              operator operator B5CE548356D1BEA5F1CFEE12FE9502C3
        041D1015AEC9F60412C7F86E62D6672C
              user                                                            user
        EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A

    Once you have found one wbem enabled machine, using compaq's  HTTP
    Auto-Discovery Device List  http://111.111.111.111:2301/cpqdev.htm
    it is trivial to locate other machines.

    There are three types of data:

        Default(read only)
        Sets(read/write)
        Reboot(read/write)

    The   WebAgent.ini   file   in   the  system_root\CpqMgmt\WebAgent
    directory specifies  the level  of user  that has  access to data.
    The "read=" and "write=" entries in the file set the user accounts
    required  for  access,  where:  0=No  access, 1=Anonymous, 2=User,
    3=Operator, and 4=Administrator.   Changing these entries  changes
    the  security.   The  web-enabled  Server  Agent  service  must be
    stopped and  restarted for  any changes  to take  effect.   Do not
    modify anything except the read/write levels.

    There's also denial of service:

        http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the minimum)

    The  first  time  this  occurs,  an  application  error  occurs in
    surveyor.exe  Exception:  access  violation (0xc0000005), Address:
    0x100333e5.   If you  restart the  Insight Web  Agent Service  and
    repeat  it  will  cause  an  application  error  in   cpqwmget.exe
    Exception:  access violation(0xc0000005), Address 0x002486d4.  The
    http://111.111.111.111 will no longer respond until the service is
    stopped and restarted.

SOLUTION

    You could probably fix the problem by restricting anonymous access
    to the Compaq Insight Manager web server. If you are not using the
    web  server,  Infosec  recommends   disabling  the  service.    To
    completely  remove  the  problem,  make  sure  you  also  stop the
    "surveryor" service as well if you have that installed.  That will
    completely shut off access to port 2301 and plug the hole.