There's a weakness in the authentification scheme of Legato Networker Software prior to version 6.1.
When a client contacts the server, it announces (in clear text) via RPC his hostname or ip adress , his username and the user's groups.
Then the server tries to resolve the ip adress of the machine which have initiated the dialog, if it fails , it sends an "unknow host" answer but doesn't stop the authentification process.
As a result, every machine which ip coundn't be resolved by the server can fake any host or user.
And, by this way gain then administrator privilege onto the Networker admin interface.
-------------------------------
Proof concept:
Here, we suppose that "server" is the Networker's server which IP is 1.2.3.4 .
We are now using a machine which could communicate freely with "server" called "intruder" which IP is A.B.C.D
Prerequisite : "server" must be unable to perform a reverse lookup for the hostname "intruder" into an ip adress ( This machine is unknown in /etc/hosts and the associated DNS zone).
So as root on "intruder", we will do the followings actions :
· Change the hostname of the machine in order to fake server's one:
#hostname server
· Fake also the resolution mecanism onto the intruder machine
Add "A.B.C.D server" into /etc/hosts
· Contact the server by
nwadmin -s 1.2.3.4
· Now the server thinks your are root@server so he will be probably let you the admin privileges.
(you can eventually fake another user by creating this user on "intruder" and doing a su)
(Of course you can also fake another hostname...)
Legato has been warned of this.
10function
NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar...
Une gamme d'outils gratuits et performants à votre service.
Web/Wap : www.netcourrier.com
Téléphone/Fax : 08 92 69 00 21 (0,34 E TTC/min - 2,21 F TTC/min)
Minitel: 3615 NETCOURRIER (0,15 E TTC/min - 1,00 F TTC/min)
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 17:22:48 PST