After conducting the penetration testing, we were able to gain full access to other machines inside a customer's dmz network because of Tivoli!!! Scenario: Cisco PIX firewall protecting a set of Internet Web and database servers from the Internet in a dmz. The PIX also protected the internal machines from the Internet. The machines in the dmz were both NT and Unix. The internal network had a Tivoli management station which monitored the dmz machines and internal machines. Testing: We were able to break into an IIS server that hadn't been patched for the CGI decode vulnerability. With this vulnerability we could upload an exec program on Windows where we could spoof the name and IP address of the sending machine. With this tool we could send commands to all other Unix machines in the same dmz that would be executed under the permissions of the Tivoli management station. Alert: Tivoli requires Rexec (port 512) to run on their managed hosts. When these hosts are connected to the Internet, there is a huge risk Tivoli will allow full access to all machines in your DMZ. Actions to be taken by Admins: Disable Tivoli monitoring from dmz machines until IBM fixes the problem. Requests to IBM: Have you ever heard of SSH? Remove rexec from all Tivoli product requirements and replace with SSH. Follow up: We are still looking at vulnerabilities in CORBA 1.1 and port 94. Anyone with vulnerability knowledge in either, please forward to Duct Tape. >I am curious about doing some penetration testing on a site who has >Tivoli installed on their Internet web servers. Based upon some IBM >Redbook documentation on Tivoli, it looks like Tivoli requires many >ports need to be opened, 94, 512 (exec), and all above 1024. > >If this is true and if I can take over one of their IIS servers, >shouldn't I be able to use these Tivoli ports to take over any other >server especially those Unix machines with exec running on them? I'm >also curious about any vulnerabilities found in version 1.1 of CORBA >because this technology is what Tivoli is built upon according to IBM's >documents. Port 94 has something to do with these CORBA calls. > ===== duc_ttapeat_private Duct Tape: I have a light side and a dark side, and I hold my universe together. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 11:10:56 PDT