Home page logo
/

bugtraq logo Bugtraq mailing list archives

Legato Networker vulnerability
From: 10function () netcourrier com
Date: Wed, 21 Nov 2001 16:52:23 +0100 (CET)

There's a weakness in the authentification scheme of Legato Networker Software prior to version 6.1.
When a client contacts the server, it announces (in clear text) via RPC his hostname or ip adress , his username and 
the user's groups.
Then the server tries to resolve the ip adress of the machine which have initiated the dialog, if it fails , it sends 
an "unknow host" answer but doesn't stop the authentification process.
As a result, every machine which ip coundn't be resolved by the server can fake any host or user.
And, by this way gain then administrator privilege onto the Networker admin interface.
                -------------------------------
Proof concept:
Here, we suppose that "server" is the Networker's server which IP is 1.2.3.4 .
We are now  using a machine which could communicate freely with "server" called "intruder" which IP is A.B.C.D
Prerequisite : "server" must be unable to perform a reverse lookup for the hostname "intruder" into an ip adress ( This 
machine is unknown in /etc/hosts and the associated DNS zone).

So as root on "intruder", we will do the followings actions :
· Change the hostname of the machine in order to fake server's one:
#hostname server
· Fake also the resolution mecanism onto the intruder machine
Add "A.B.C.D server" into /etc/hosts 
· Contact the server by
nwadmin -s 1.2.3.4
· Now the server thinks your are root () server so he will be probably let you the admin privileges.

(you can eventually fake another user by creating this user on "intruder" and doing a su)
(Of course you can also fake another hostname...)


Legato has been warned of this.
 
  10function

NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar...
Une gamme d'outils gratuits et performants à votre service.
 
Web/Wap : www.netcourrier.com
Téléphone/Fax : 08 92 69 00 21 (0,34 E TTC/min - 2,21 F TTC/min)
Minitel: 3615 NETCOURRIER (0,15 E TTC/min - 1,00 F TTC/min)


  By Date           By Thread  

Current thread:
  • Legato Networker vulnerability 10function (Nov 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]