Full Disclosure: Re: Remedy Action Request System 5.01.02 - UserEnumeration

["dj flotek" <djflotek () hotmail com>]

I regularly used to use Remedy in my previous duties. And okay, the 
authentication process does output a message specifying whether the user 
exists or not, and that is not a desirable aspect of any system.

I would like to say however, that Remedy was the most efficient system that 
I was aware of during the time of providing support with multiple 
systems+users. It has its problems, though I think it is fairly stable. And 
largley stable compared with other 'supposed call logging systems'. Having 
said that, I have not had any time to poke n probe it at all.

Seeing as most call logging systems for IT support are provided within a 
LAN/Secure W/LAN environment, the issue seems to be not so URGENT/SERIOUS. I 
mean, it is far easier to track instances of authentication login attempts 
in such a scenario, given certain security enforcements and params. I would 
think, others may disagree.

Yes, systems should not report whether a user does or does NOT exist, and 
such systems as Remedy can be used within any environment. But you would 
have to think that sys-admin's with any sense about them, would be aware to 
such issues with 3rd party app's, and take action accordingly ...

| dot dot dot |




> From: "Davide Del Vecchio" <dante () alighieri org>
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Remedy Action Request System 5.01.02 - 
> UserEnumeration
> Date: Mon, 15 Jan 2007 17:55:24 +0100
>
> =======================================================
>  Remedy Action Request System User Enumeration
> =======================================================
>
> Davide Del Vecchio Adv#11
>
> Discovered in: 08/01/2007
>
> Version affected: Remedy Action Request System 5.01.02 Patch 1267.
> The same vulnerable code could be present in other versions.
>
> Reference: http://www.alighieri.org/advisories/advisory-remedy50102.txt
>
> Software description:
>
>  From BMC Software website:
>  "Remedy Action Request System 5.01.02 provides a consolidated Service
>  Process Management platform for automating and managing Service
>  Management business processes."
>
>
> The problem:
>
>  During user login phase, it is possible to enumerate existing users
>  examining the error messages provided by the software.
>
>  Suppling a non-existing user the error message is:
>
>
>  ARERR [612] No such user is registered with this server
>       user: test,  server: 10.10.10.11
>
>  Unable to successfully log in to any server.
>
>
>  Suppling an existing user the error message is:
>
>
>  ARERR [329] Invalid password for an existing user
>       user: user,  server: 10.10.10.11
>
>  Unable to successfully log in to any server.
>
>
> Solution:
>
>  Vendor has been contacted 3 times with no answer.
>
>
> Credits:
>
>  Davide Del Vecchio would like to thank his family and all
>  the people supporting him and his research.
>  Support the rosewitch project.
>
>
> Disclaimer:
>
>  The information within this paper may change without notice. Use of this
>  information constitutes acceptance for use in an AS IS condition.
>  There are NO warranties with regard to this information. In no event 
> shall
>  the author be liable for any damages whatsoever arising out of or in
>  connection with the use or spread of this information. Any use of this
>  information is at the user's own risk.
>  ^^^^^^^^
>
> Please send suggestions, updates, and comments to:
> Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org
> http://www.alighieri.org ~ http://legaest.blogspot.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
Advertisement: Meet Sexy Singles Today @ Lavalife - Click here  
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D23769&_t=754951090&_r=endtext_lavalife_dec_meet&_m=EXT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/