home *** CD-ROM | disk | FTP | other *** search
- RemoteAdmin/AOL Server 2.2
-
- Vulnerability in AOL Server 2.2 (Unix)
-
- SYSTEMS AFFECTED
- Unix Servers Running AOL Server 2.2
-
- PROBLEM
- Any local user is able to retrieve the encrypted password of the
- AOLserver's nsdadmin account, the password system uses DES, so the
- attacker can crack the password using the appropriate software. This is
- because the nsd.ini file, which AOLserver uses to set up it's port settings
- and other characteristics, is world-readable.
-
- IMPACT
- The nsadmin account can be compromised and then used to modify the
- AOLserver configuration, change passwords or shutdown the server.
- Once a local user has cracked the password, he is then able to use a
- web browser to reconfigure the server by visiting the following URL..
-
- 'http://host.to.attack.com:9876/NS/Setup'
-
- We use port 9876 because it was defined in the nsd.ini file as:
-
- [ns/setup] Port=9876.
-
- Once at the password prompt, the attacker simply enters the nsadmin
- username and the password that he cracked. The attacker now has
- complete control over the AOLserver.
-
- EXPLOIT
- Locally, locate the AOLserver directory (find / -name nsd.ini), and
- follow these simple steps..
-
- % cd <AOLserver directory>
- % grep Password nsd.ini
- Password=t2GU5GN5XJWvk
- %
-
- ..Next crack the DES encrypted string using your favorite cracker
- program.
-
- SOLUTION
- Make the nsd.ini file readable only by it's owner.
-
- The contents of this advisory are Copyright (c) 1998 the Rhino9 security
- research team, this document may be distributed freely, as long as
- proper credit is given.
