mailing list archives
Legato Networker vulnerability
From: 10function () netcourrier com
Date: Wed, 21 Nov 2001 16:52:23 +0100 (CET)
There's a weakness in the authentification scheme of Legato Networker Software prior to version 6.1.
When a client contacts the server, it announces (in clear text) via RPC his hostname or ip adress , his username and
the user's groups.
Then the server tries to resolve the ip adress of the machine which have initiated the dialog, if it fails , it sends
an "unknow host" answer but doesn't stop the authentification process.
As a result, every machine which ip coundn't be resolved by the server can fake any host or user.
And, by this way gain then administrator privilege onto the Networker admin interface.
Here, we suppose that "server" is the Networker's server which IP is 188.8.131.52 .
We are now using a machine which could communicate freely with "server" called "intruder" which IP is A.B.C.D
Prerequisite : "server" must be unable to perform a reverse lookup for the hostname "intruder" into an ip adress ( This
machine is unknown in /etc/hosts and the associated DNS zone).
So as root on "intruder", we will do the followings actions :
· Change the hostname of the machine in order to fake server's one:
· Fake also the resolution mecanism onto the intruder machine
Add "A.B.C.D server" into /etc/hosts
· Contact the server by
nwadmin -s 184.108.40.206
· Now the server thinks your are root () server so he will be probably let you the admin privileges.
(you can eventually fake another user by creating this user on "intruder" and doing a su)
(Of course you can also fake another hostname...)
Legato has been warned of this.
NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar...
Une gamme d'outils gratuits et performants à votre service.
Web/Wap : www.netcourrier.com
Téléphone/Fax : 08 92 69 00 21 (0,34 E TTC/min - 2,21 F TTC/min)
Minitel: 3615 NETCOURRIER (0,15 E TTC/min - 1,00 F TTC/min)
- Legato Networker vulnerability 10function (Nov 22)