[10148] in bugtraq
Patrol security bugs
daemon@ATHENA.MIT.EDU (fcosta)
Fri Apr 9 14:37:47 1999
Date: Fri, 9 Apr 1999 12:46:33 +0200
Reply-To: fcosta <fcosta@CF6.FR>
From: fcosta <fcosta@CF6.FR>
To: BUGTRAQ@NETSPACE.ORG
> > ____/ ____/ _____/
> > / / / Security Department
> > / ___/ / Tel : +33 (0)1 41 91 39 00
> > / / /__/ / Fax : +33 (0)1 41 91 39 99
> > _____/ __/ ______/
> >
> ____________________________________________________
>
> Patrol Security bugs report
>
> ____________________________________________________
>
> PROBLEM:
>
> The PATROL management software from BMC SOFTWARE has 3 severe bugs :
>
> 1) Session password encryption weakness :
>
> The Patrol session password is protected in a way which does not prevent
>
> from replay attacks. It is possible for an attacker to capture (wire
> tapping, network sniffing...) an encrypted password and to provide it to
> the
> BMC API to connect to the agent. The attacker can then get a shell with
> the
> agent without the administrator to know it.
>
> 2) Patrol frames sealing :
>
> The algorithm used in Patrol for sealing the frames exchanged is fairly
> weak
> (enhanced checksum). It is thus quite easy for an attacker to build a
> spoofing system which sends faked frames to an agent.
>
> 3) Service deny on UDP port :
>
> The UDP ports accept connexion requests and are thus exposed to
> ping-pong
> from another UDP port (e.g. chargen).
>
> ____________________________________________________
>
>
> PLATFORM:
>
> Patrol agent until release 3.25 on all operating systems
>
> ____________________________________________________
>
> DAMAGE:
>
> You can get administrator account throught Patrol agent whithout
> accreditation or crash system by DOS attack.
>
> ____________________________________________________
>
> SOLUTION:
>
> We are actually working with BMC SOFTWARE to correct all those bugs.
> ____________________________________________________
>
> For more informations, contact Frederic COSTA : e-mail: fcosta@cf6.fr
>
>
>
