> > ____/ ____/ _____/ > > / / / Security Department > > / ___/ / Tel : +33 (0)1 41 91 39 00 > > / / /__/ / Fax : +33 (0)1 41 91 39 99 > > _____/ __/ ______/ > > > ____________________________________________________ > > Patrol Security bugs report > > ____________________________________________________ > > PROBLEM: > > The PATROL management software from BMC SOFTWARE has 3 severe bugs : > > 1) Session password encryption weakness : > > The Patrol session password is protected in a way which does not prevent > > from replay attacks. It is possible for an attacker to capture (wire > tapping, network sniffing...) an encrypted password and to provide it to > the > BMC API to connect to the agent. The attacker can then get a shell with > the > agent without the administrator to know it. > > 2) Patrol frames sealing : > > The algorithm used in Patrol for sealing the frames exchanged is fairly > weak > (enhanced checksum). It is thus quite easy for an attacker to build a > spoofing system which sends faked frames to an agent. > > 3) Service deny on UDP port : > > The UDP ports accept connexion requests and are thus exposed to > ping-pong > from another UDP port (e.g. chargen). > > ____________________________________________________ > > > PLATFORM: > > Patrol agent until release 3.25 on all operating systems > > ____________________________________________________ > > DAMAGE: > > You can get administrator account throught Patrol agent whithout > accreditation or crash system by DOS attack. > > ____________________________________________________ > > SOLUTION: > > We are actually working with BMC SOFTWARE to correct all those bugs. > ____________________________________________________ > > For more informations, contact Frederic COSTA : e-mail: fcostaat_private > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:59 PDT