[10932] in bugtraq
ISSalert: ISS Security Advisory: Bad Permissions on Passwords
daemon@ATHENA.MIT.EDU (aleph1@UNDERGROUND.ORG)
Sun Jul 4 13:45:16 1999
Mime-Version: 1.0
Content-Type: application/pgp; format=text; x-action=sign
Message-Id: <19990704090952.27236.qmail@underground.org>
Date: Sun, 4 Jul 1999 02:09:51 -0700
Reply-To: X-Force <xforce@iss.net>
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@NETSPACE.ORG
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory
June 29, 1999
Bad Permissions on Passwords Stored by WebTrends Software
Synopsis:
Internet Security Systems (ISS) X-Force has discovered a security hole in
many WebTrends products that allows access to service account and MAPI
usernames and passwords. WebTrends specializes in providing enterprise
management solutions software.
Most WebTrends software provides the capability to run at startup as a
Windows NT service and use a MAPI profile to send reports via e-mail. All
of the vulnerable programs store the NT service account and password, as
well as the MAPI profile name and password, in a file with 'Everyone: Full
Access' permissions. Remote and local attackers can discover the service
account username and password (which, by definition, has to be an
Administrator account) and the MAPI profile name and password. The file is
in the installation directory and is called 'WebTrend.INI'. Although the
password is encrypted, the encryption algorithm is simple and the password
can be easily decoded.
Description:
The vulnerability only applies to systems using the MAPI and NT service
features in the following or earlier versions of the applications
currently identified as vulnerable by ISS X-Force: WebTrends for Firewalls
v1.2, WebTrends Security Analyzer v2.0, WebTrends Professional Suite
v3.01, WebTrends Log Analyzer v4.51, and WebTrends Enterprise Suite v3.5.
All applications run on the Windows NT platform.
Recommendations:
If you use the MAPI or NT service feature in any of the vulnerable
products, install the latest versions of the product that include the
128-bit encryption algorithm. These versions include: WebTrends for
Firewalls v1.2b Build 4163, WebTrends Security Analyzer v2.1a Build 8043,
WebTrends Professional Suite v3.01a Build 4053, WebTrends Log Analyzer
v4.51a Build 4108, and WebTrends Enterprise Suite v3.5a Build 4212.
In addition, ISS X-Force and WebTrends recommend that you modify the ACL
settings to an appropriate level of security for the user of that system.
Specifically, remove the 'Everyone: Full Control' permission and add
'Administrators: Full Control', so only administrators have access to the
file. To do this, open the directory for the application in Windows NT
Explorer, right click on WebTrends.INI, go to 'Properties', select the
'Security' tab, and click the 'Permissions' button. There will be a dialog
that will allow you to adjust the permissions on the file.
Customers who are not able to download the most recent versions should not
use the MAPI and NT Service options in WebTrends products.
Credits:
This vulnerability was discovered by Internet Security Systems and
researched by the ISS X-Force. ISS appreciates the assistance and
contributions of individuals at WebTrends.
__________
Copyright (c) 1999 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of X-Force. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
About ISS
ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBN3fIsTRfJiV99eG9AQHGKQP8CO2gz7dVoJh9zVCVexo3lb5OfWs1SnhT
sle33V+rKJ7PtOS6a7XzgEKpfB/1YQ/g249Lig9xEHb0vYzqAibBrhryR5+bJyWr
FaJ8jFL1jWvb9HANymiFCFgTNjQBqzyq05r1lsrXOUiUaaX+JxzVTIYG34+nvA4E
064zJLnC/AA=
=CUvh
-----END PGP SIGNATURE-----
