COMMAND
Insight Agent (Compaq PFCUser account)
SYSTEMS AFFECTED
WinNT with 4.20D release of the Compaq Management Agents
PROBLEM
Owen Cunningham found following. Compaq does not seem to be doing
impressive things with its security lately. He just updated the
Compaq Insight Agents from version 4.22 to 4.23 and noticed that
choosing the "express update" option automatically added a PFCUser
account to the system. By default this account belongs to the
local Administrators group, and is granted advanced user rights
that even the Administrators group doesn't ordinarily get (i.e.
"Act as part of the operating system," "Debug programs,"
"Generate security audits," and "Replace a process level token").
The kicker is, the installation program gives no indication that
it is going to create this account: it doesn't warn you, ask
you, or anything else.
The PFCUser account is installed by the PATROL agent, which is
part of the OS-management functionality of the Compaq Insight
Agents that Compaq licensed from BMC Software. CIA setup will
explicitly prompt you for your preference regarding this
functionality with the following dialog box:
"Compaq Insight Manager has added OS management for Microsoft
Windows NT environments to its superior hardware availability
management, by integrating key technology from BMC Software into
the Compaq Insight Management Agent for Windows NT. Please see
\Agents\Win-nt\Eng\README.TXT for details."
It then asks "Do you wish to install these OS management
components?" If you answer Yes, BMC PATROL gets installed, and
the PFCUser account gets created; if No, BMC PATROL installation
is skipped, and the PFCUser account never touches your system.
This behavior is identical for versions 4.22 and 4.23.
Incidentally, the README.TXT mentioned in the dialog above
contains no information whatsoever about the PFCUser account.
Especially damning is the fact that this document supposedly
contains instructions on removing BMC PATROL, but does not
instruct us to delete the PFCUser account (which, in my mind,
would be a vital step in uninstallation). Another odd behavior
of BMC PATROL is to edit the
%Systemroot%\system32\drivers\etc\services
file so that the line for snmp, which ordinarily is defined to
161/udp, is instead defined to 3161/udp. (Courteously enough,
the doctored line does contain the comment "edited by PFC"!)
After installing BMC Patrol twice, deleting the PFCUser account
between installations Owen dumped the hashes of both. The hashes
are identical, meaning that the password is *not* uniquely
generated upon each installation. For those of you who have a
PFCUser account out there, please use pwdump2 or the like to grab
the hash and see if it matches the following:
5587afa83c5560fe9bbce258aadddcc0:989135220b8d9f7a57076280ac93c76f
This is the hash assigned to PFCUser *both* times it was created
during my tests. Playing with L0phtcrack, first, just with the
hex characters "01234567890ABCDEF" because many passwords that
are generated by programs are just MD5 hashes converted to ASCII.
Sure enough in about 4 minutes up popped the password
"240653C9467E45".
SOLUTION
The Compaq Foundation Agents v4.40B with fixes for PFCUser issues
is now available for download. The SoftPaq is available as
SP10629 on the Compaq web site. Links to this SoftPaq can be found
on the Compaq Insight Manager download pages on
http://www.compaq.com/sysmanage