Rapid 7 Advisory R7-0002: Alchemy Eye Remote Unauthenticated Log Viewing

From: Rapid 7 Security Advisories (advisoryat_private)
Date: Fri Nov 30 2001 - 10:16:16 PST

Next message: Bob Howard: "Re: UUCP"

Previous message: Hendrik-Jan Verheij: "Denial of Service in Lotus Domino 5.08 and earlier HTTP Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

_______________________________________________________________________
                   Rapid 7, Inc. Security Advisory

          Visit http://www.rapid7.com to download NeXpose(tm), our
          advanced vulnerability scanner. Linux and Windows 2000
          versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0002: Alchemy Eye Remote Unauthenticated Log Viewing

    Published:  November 30, 2001
    Revision:   1.0
    CVE ID:     CAN-2001-0870
    Bugtraq ID: 3598

1. Affected system(s):

    KNOWN VULNERABLE:
     o Alchemy Eye and Alchemy Network Monitor v1.9x through v2.6.18

    Apparently NOT VULNERABLE:
     o Alchemy Eye v2.6.19 and greater (web access disabled by default)
     o Alchemy Eye v1.7 (has no web access feature)
     o Alchemy Eye v1.8 (has no web access feature)

2. Summary

    Alchemy Eye and Alchemy Network Monitor are network management
    tools for Microsoft Windows.  The product contains a built-in HTTP
    server for remote monitoring and control.  This HTTP server is
    enabled by default in vulnerable versions of the software,
    requiring no authentication.

    The HTTP feature allows remote users to view the network monitoring
    logs. These logs can contain internal IP addresses and other
    information about your network (depending on what monitoring you've
    set up).

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the identifier CAN-2001-0870 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

    Bugtraq has assigned the identifier 3598 to this vulnerability.
    More information on Bugtraq can be found at
    http://www.securityfocus.com .

3. Vendor status and information

    Alchemy Eye
    Alchemy Labs, Inc.
    http://www.alchemy-lab.com/products/eye/

    Alchemy Network Monitor
    DEK Software, Inc.
    http://www.deksoftware.com/alchemy/

    Vendors notified 7/25/2001.  HTTP is disabled by default
    starting with version 2.6.19, released in early August 2001.

4. Solution

    If you are using any of the vulnerable versions, we suggest the
    following:

       (a) Disable HTTP access completely via Preferences.  You must
       restart the product for this to take effect.

       or, (b) Require HTTP authentication via Preferences.  You must
       restart the product for this to take effect.  This is only possible
       with versions 2.6.x and later (earlier versions have no
       authentication option).

       (c) Lock down the ACLs of the directory where you installed
       the product. The username and password for HTTP authentication
       are stored in cleartext in the file eye.ini.

5. Detailed analysis

    Vulnerable versions install by default with web access enabled. This
    allows remote users to view the logs. The product stores all its
    settings in a file called eye.ini.

    If you choose to enable HTTP and require authentication, the eye.ini
    file will contain the following section:

       [Web settings]
       Port to listen=80
       Allow web access=1
       Login=webuser
       Password=webpass

    Where "webuser" is the username and "webpass" is the cleartext
    password.

6. Contact Information

       Rapid 7 Security Advisories
       Email:   advisoryat_private
       Web:     http://www.rapid7.com
       Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

    Rapid 7, Inc. is not responsible for the misuse of the information
    provided in our security advisories. These advisories are a service
    to the professional security community.  There are NO WARRANTIES
    with regard to this information. Any application or distribution of
    this information constitutes acceptance AS IS, at the user's own
    risk.  This information is subject to change without notice.

    This advisory Copyright (C) 2001 Rapid 7, Inc.  Permission is
    hereby granted to redistribute this advisory in electronic media
    only, providing that no changes are made and that the copyright
    notices and disclaimers remain intact.  This advisory may not be
    printed or distributed in non-electronic media without the
    express written permission of Rapid 7, Inc.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQEVAwUBPAfM7+stPa8cHEsJAQG9SQf/UXJdBsfnrltZlipIS9amaDJJh9UDt3A9
P0xkTcHKqWr0Iva64E2MlwhPfvtf3F+X/K+O3OtsZ+2KMiwCr60ySuBLtKy+KOTB
Y5m0/W46JyydgmSSze+ZtsdvPxZQRgDydGNC8dxONsQNdjTGVHka7WanDJCSR5JK
Ket+HMJaNmua2j7ypnkfDc2P7VPQOcuAzqWfC6SolLYcd897jA0735MSmFfwGBb8
QooXApmHX16EzwVLzk1nvOprcbxuQmsl2QpLS2TrZv1VsbH6V+7bRu9QL9FY00Wc
ziJP+MmK1kgSsw2B8WzMFKH8HvVhOUoZ26Ah2wgzqERw4thPa82qhg==
=mM1x
-----END PGP SIGNATURE-----

Next message: Bob Howard: "Re: UUCP"
Previous message: Hendrik-Jan Verheij: "Denial of Service in Lotus Domino 5.08 and earlier HTTP Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 15:08:38 PST