|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <NCBBKFKDOLAGKIAPMILPKEHBCEAA.luck@ussrback.com> Date: Sat, 27 May 2000 07:17:44 -0300 Reply-To: Luciano Martins <luck@USSRBACK.COM> From: Luciano Martins <luck@USSRBACK.COM> X-To: Ollie Whitehouse <ollie@delphisplc.com>, BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <6C740781F92BD411831F0090273A8AB806FD5F@exchange.servers.delphis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 McAfee WebShield SMTP v4.5.74.0 tested using this tool "ATGuard" is affected to the authentication issue Im sorry, but the only way to see it is using this tool ;) u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com - -----Original Message----- From: Ollie Whitehouse [mailto:ollie@delphisplc.com] Sent: Saturday, May 27, 2000 5:44 AM To: 'Luciano Martins'; BUGTRAQ@SECURITYFOCUS.COM Subject: RE: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Management Tool Luciano, The issue we found was that if the WebShield management agent is unable to resolve your IP address to a host name (i.e. local host) it will allow you access. By resolve I mean by another of the following means: Netbios / WINS DNS A good way of testing this is to have something like ATGuard which blocks all traffic coming from your machine (i.e. browser broadcasts). So nothing is able to resolve your IP to NAME then connect to port 9999. We had both issues confirmed by Network Associates on the 22nd May 2000 by the development team/product manager. Rgds Ollie - ------ Security Team Leader Delphis Consulting Plc Tel: +44 (0)20 79160200 Fax: +44 (0)20 79161620 - -----Original Message----- From: Luciano Martins [mailto:luck@USSRBACK.COM] Sent: Friday, May 26, 2000 5:02 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: DST2K0004b: Authentication issue in WebShield SMTP v4.5.44 Management Tool *** PGP Signature Status: good *** Signer: Luciano Martins <luck@ussrback.com> *** Signed: 5/26/00 1:02:20 AM *** Verified: 5/27/00 6:25:30 AM *** BEGIN PGP VERIFIED MESSAGE *** well, hello first :), we have been researching McAfee WebShield SMTP v4.5.74.0 for a long time (since the middle of march), and by default only (localhost) can connect to port 9999. So this "Authentication issue in WebShield SMTP v4.5.44 Management", has no effect on the last version released the March 15, 2000. > II. Solution > ==================================================================== > ======== ==== > > Vendor Contacted: 8-May-2000 > > Currently there is no vendor patch available but there is the > following preventative measures: Of course, NAI did nothing because the problem is already fixed in latest version. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com Security Team wrote: > ==================================================================== > ======== ==== > Delphis Consulting Plc > ==================================================================== > ======== ==== > > Security Team Advisories > [08/05/2000] > > securityteam@delphisplc.com > > ==================================================================== > ======== ==== > Adv : DST2K0004b > Title : Authentication issue in WebShield SMTP v4.5.44 > Management Tool > Author : DCIST (securityteam@delphisplc.com) > O/S : Microsoft Windows NT v4.0 Server (SP6) > Product : NAI WebShield SMTP v4.0.5 > Date : 08/05/2000 (Updated 15/05/2000) > > I. Description > > II. Solution > > III. Disclaimer > ==================================================================== > ======== ==== > > I. Description > ==================================================================== > ======== ==== > > Delphis Consulting Internet Security Team (DCIST) discovered the > following vuln- > erability in the NAI Management Agent for WebShield SMTP under > Windows NT. > > Connecting to a machine which runs the management agent on port > 9999 may allow > an attacker to obtain read and write access to the configuration of > a WebShield > SMTP server. This appears to happen, even if the the MailCfg > service is set to > only allow configuration to take place from "localhost" in some > configurations. > > The configuration data appears written to the registry before the > service suffers from lack of bounds checking. This information > written to the registry > can be used to prevent the WebShield service from being started. > > Update: 15/05/2000 > > The configuration agent uses hostname for authentication, if the > server upon which the management agent is running is unable to > resolve a hostname to the IP address it will allow access by > default. > > II. Solution > ==================================================================== > ======== ==== > > Vendor Contacted: 8-May-2000 > > Currently there is no vendor patch available but the following are > preventative > measures Delphis Consulting Internet Security Team would advise > users running > this service to implement. > > o Don't allow the service to run as SYSTEM but as a restricted user > account. o Access list port 9999 on the local router or firewall to > restrict access to only required machines. > o Stop the management service. > > III. Disclaimer > ==================================================================== > ======== ==== > THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE > ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY > IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. > NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY > WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE > ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS > INFORMATION FOR ANY PURPOSE. > ==================================================================== > ======== ==== *** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOS+gx63JcbWNj6DDEQIkOgCgjrcElOgzDm6smY4LQfvUdBs5FnAAoOKY uwJ99dXmt8g08MqbgoR7hCyk =LmkN -----END PGP SIGNATURE-----
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |