ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service

From: mnemonix (mnemonixat_private)
Date: Wed Feb 24 1999 - 22:36:31 PST

Next message: Jochen Thomas Bauer: "AltaVista Firewall97"

Previous message: Duncan, Michael: "ARCserve 6.5 NT Client Agent Security Protocol Enhancements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Introduction
This advisory if for those running SLMail version 3.2 or 3.1 with the Remote
Administration Service enabled. Due to certain short comings of this service
any user with an account on the NT machine running SLMail can by-pass all
NTFS file system permissions to read any file on the system that hasn't
already been locked by another process (such as the
c:\winnt\system32\config\sam file). Added to this, this file can then be
read by anyone on the Internet.

Details
The Remote Administration Service in SLMail allows changes to mail services
to be performed using the HTTP protocol over TCP port 180, by default. NTLM
authentication can be enabled so that only users with an account and
corresponding password may access this service. Once authenticated however,
they do not need to be an Administrator to make changes to the mail services
and user account information. This happens because the service does not
impersonate the logged on user and every change made is performed under the
SYSTEM account.

Once authenticated they can then set a user's  Finger File (Plan - for the
UNIX people) to any arbritary file on the system. They must know the path to
the file they wish to access. Once these changes have been set they can then
"finger" the user and the file's contents are returned. This works because
the finger service, which is controlled by the slmail.exe process is running
as SYSTEM which has full control to all files on the machine by default.
Needless to say if the machine is accessible via the finger port (TCP port
79) from the Internet then anybody will be able to read this file. (In some
cases where there are non-standard alpha-numerics in the file or x00 values
or similar the returned data will be truncated.

If the Finger service, which is controlled by the slmail.exe process has
been disabled by the administrator, it can be re-enabled from the Remote
Administration web pages.

Added to this problem many variations of service denial attacks can be
launched, such as changing passwords, stopping services, overwriting files
etc etc.

Solution
Because of this Remote Administration should be DISABLED. If this is not
viable then the only way to prevent an unauthorized users (those with
accounts) is to remove the "Access this computer from the Network" user
right from the "Everybody" group and give this privilege to Administrators
only.

Cheers,
David Litchfield

Next message: Jochen Thomas Bauer: "AltaVista Firewall97"
Previous message: Duncan, Michael: "ARCserve 6.5 NT Client Agent Security Protocol Enhancements"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:31 PDT