Re: Tivoli Management Framework Alert!!!

From: Duct Tape (duc_ttapeat_private)
Date: Fri Aug 03 2001 - 09:02:07 PDT

Next message: Henry Farkas: "Re: Tivoli Management Framework Alert!!!"

Previous message: cwallat_private: "RE: Local Vulnerability in dbsnmp binary in Oracle 8.1.6-8.1.7-9i"
Next in thread: Henry Farkas: "Re: Tivoli Management Framework Alert!!!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After conducting the penetration testing, we were able to gain full
access to other machines inside a customer's dmz network because of
Tivoli!!!

Scenario:

Cisco PIX firewall protecting a set of Internet Web and database
servers from the Internet in a dmz.  The PIX also protected the
internal machines from the Internet.  The machines in the dmz were both
NT and Unix.  The internal network had a Tivoli management station
which monitored the dmz machines and internal machines.

Testing:

We were able to break into an IIS server that hadn't been patched for
the CGI decode vulnerability.  With this vulnerability we could upload
an exec program on Windows where we could spoof the name and IP address
of the sending machine.  With this tool we could send commands to all
other Unix machines in the same dmz that would be executed under the
permissions of the Tivoli management station.

Alert:

Tivoli requires Rexec (port 512) to run on their managed hosts.  When
these hosts are connected to the Internet, there is a huge risk Tivoli
will allow full access to all machines in your DMZ.

Actions to be taken by Admins:

Disable Tivoli monitoring from dmz machines until IBM fixes the
problem.

Requests to IBM:

Have you ever heard of SSH?  Remove rexec from all Tivoli product
requirements and replace with SSH.

Follow up:

We are still looking at vulnerabilities in CORBA 1.1 and port 94. 
Anyone with vulnerability knowledge in either, please forward to Duct
Tape.

>I am curious about doing some penetration testing on a site who has
>Tivoli installed on their Internet web servers.  Based upon some IBM
>Redbook documentation on Tivoli, it looks like Tivoli requires many
>ports need to be opened, 94, 512 (exec), and all above 1024.
>
>If this is true and if I can take over one of their IIS servers,
>shouldn't I be able to use these Tivoli ports to take over any other
>server especially those Unix machines with exec running on them?  I'm
>also curious about any vulnerabilities found in version 1.1 of CORBA
>because this technology is what Tivoli is built upon according to
IBM's
>documents.  Port 94 has something to do with these CORBA calls.
>


=====
duc_ttapeat_private
Duct Tape: I have a light side and a dark side,
and I hold my universe together.

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Next message: Henry Farkas: "Re: Tivoli Management Framework Alert!!!"
Previous message: cwallat_private: "RE: Local Vulnerability in dbsnmp binary in Oracle 8.1.6-8.1.7-9i"
Next in thread: Henry Farkas: "Re: Tivoli Management Framework Alert!!!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 11:10:56 PDT