RE: ARCserve 6.61 Share Access Vulnerability

From: David Sexton (dave.sextonat_private)
Date: Mon Sep 17 2001 - 03:31:43 PDT

Next message: Scott Schwartz: "Problems in Forte Developer 6 dbx and install docs"

Previous message: Paulo Filipe Mira: "RE: ARCserve 6.61 Share Access Vulnerability"
Maybe in reply to: ron: "ARCserve 6.61 Share Access Vulnerability"
Next in thread: ron: "Re: ARCserve 6.61 Share Access Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've just had a look at our ArcServe 2000 install and the files are there.
This install is an upgrade from 6.6, so Ican't be certain if the problem
exists on a fresh install.

We were able to change the permissions of the share & files so that only the
administrators & backup accounts have access to them. So far, everything
seems fine (several test backups worked) - however, I'll have to wait until
tonight to see if this has affected the scheduled backups (hope not!)

Cheers,

Dave

> -----Original Message-----
> From:	ron [SMTP:rdrat_private]
> Sent:	16 September 2001 05:27
> To:	bugtraqat_private
> Subject:	ARCserve 6.61 Share Access Vulnerability
> 
> I have found a vulnerability with ARCServe for NT 6.61 SP2a. I stumbled
> upon this while performing a vulnerability analysis. 
> 
> Details:
> 
> The default install of ARCServe for NT creates a hidden share on Windows
> NT machines when it is installed.
> 
> The name of this share is ARCSERVE$.
> 
> The permissions of the share allow all users in a domain to map this
> share. However, this is not the worst part.
> 
> Within the share is a file named aremote.dmp.  The full path is
> ARCSERVE$\DR\<NAME of SERVER>\aremote.dmp.
> 
> In the aremote.dmp file, the account name that runs the backup is in
> cleartext within this file.  Also, a little further
> within the file, the password for the account is in cleartext.
> 
> Seeing as how the account that performs backups can access system files,
> this is very dangerous.  Some places run their
> backups as the NT domain administrator account.
> 
> Fix:
> 
> CA has been notified and will be making a patch available to all
> customers.
> 
> 
> Also, it _should_ be possible to change the share permissions, allowing
> only the backup account and the administrator access to the share.
> 
> 
> I am not sure if this is in ARCServe 2000 or in releases prior, as I have
> not checked them.
> 
> - rdr


-----------------------------------------------
Any opinions expressed in this message are those of the individual and not necessarily the company.  This message and any files transmitted with it are confidential and solely for the use of the intended recipient.  If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited.

Sapphire Technologies Ltd
http://www.sapphire.net

Next message: Scott Schwartz: "Problems in Forte Developer 6 dbx and install docs"
Previous message: Paulo Filipe Mira: "RE: ARCserve 6.61 Share Access Vulnerability"
Maybe in reply to: ron: "ARCserve 6.61 Share Access Vulnerability"
Next in thread: ron: "Re: ARCserve 6.61 Share Access Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 10:31:35 PDT