COMMAND
WebTrends Enterprise Reportig Server
SYSTEMS AFFECTED
WebTrends Enterprise Reportig Server ver 1.5
PROBLEM
Manos Megagiannis found following. WebTrends Enterprise Reportig
Server ver 1.5 running on Linux or Solaris has the following
vulnerabilities:
1) If the WebTrends Enterprise Reporting Server is running as
root. Due to file ownership misconfiguration, it may be
possible for local users to gain root privileges.
2) WebTrends Enterprise Reporting Server, logs debug
information in a world readable and writable file. The
debug information may include user-names and passwords
stored in clear text. It may be possible for local users
to gain unauthorized access to the server as well as to
WebTrends administration software. Local users can also
modify that file, making the auditing mechanism unsafe.
If the server is running without PAM, you have to use their
interface to create new users and set their passwords. In
that case, by default, everything (including username and
password) is stored in clear text in the file
"interface.log" with read/write permissions for user, group
and other. Any local user can read that file and
therefore, if a WebTrends user has also an shell account on
the box with the same password, that account can be
compromised. Also since everybody has write access to that
file, they can alter it, so the auditing purpose of that
file is useless.
3) WebTrends Enterprise Reporting Server, stores its user
information in files with world read/write permissions. It
may be possible for local users to gain unauthorized access
to the WebTrends administration software, and/or create a
denial of service. All user information is stored in the
directory "wtm_wtx/datfiles/users" in the format
"username.usr". Those files are with owner/group/other
read/write permissions. Any local user, can decrypt the
password or even easier alter/delete the user file and
therefore create a denial of service.
4) WebTrends Enterprise Reporting Server, stores its profile
information in files with world read/write permissions. It
may be possible for local users to create a denial of
service. How? Same as with the user files all profile
information is stored in "wtm_wtx/datfiles/profiles" with
owner/group/other read/write permissions. Any local user
can alter/delete the profile file and therefore create a
denial of service.
5) On WebTrends Enterprise Reporting Server, the default
installation has blank administrator password. A remote
user may be able to gain administrative priviledges to the
WebTrends administration software.
If a local user has (or gains) uid or gid bin can gain root
privileges. The WebTrends directories with the script (executed
as root) are owned by user bin, group bin, and read/write/execute
permissions for owner and group. Therefore someone can write a
simple perl script that will be executed as root.
SOLUTION
You can run the server as root or as some other user. In order
to use PAM (Pluggable Authentication Module) it has to run as
root. Also they have some entry in the configuration file, that
you specify what user the front end will run as, but.... the
front end just interfaces to the server that runs as root anyway.
Therefore you can still do whatever you want. No proper solution
yet.