Vulnerability in AOL Server 2.2 - modu1e, chame|eon, vacuum
147892c0184fcc5a6fe7c9b18666b7919a03a77380364805bc6988b6211e598d
Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9
##### #####
## ## ## ##
## ## ## ##
##### #####
## ## ##
## ## ##
Rhino9, The security research team.
[http://www.rhino9.org]
Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9
Rhino9 security advisory #1
---------------------------
Title : Vulnerability in AOL Server 2.2 (Unix)
Date : 22nd January 1998
Authors : modu1e, chame|eon, vacuum
Problem :
---------
Any local user is able to retrieve the encrypted password of the AOLserver's
nsdadmin account, the password system uses DES, so the attacker can crack the
password using the appropriate software. This is because the nsd.ini file,
which AOLserver uses to set up it's port settings and other characteristics,
is world-readable.
Impact :
---------
The nsadmin account can be compromised and then used to modify the
AOLserver configuration, change passwords or shutdown the server.
Once a local user has cracked the password, he is then able to use a web
browser to reconfigure the server by visiting the following URL..
http://host.to.attack.com:9876/NS/Setup
We use port 9876 because it was defined in the nsd.ini file as :
[ns/setup] Port=9876.
Once at the password prompt, the attacker simply enters the nsadmin username
and the password that he cracked. The attacker now has complete control over
the AOLserver.
Exploit :
---------
Locally, locate the AOLserver directory (find / -name nsd.ini), and follow
these simple steps..
% cd <AOLserver directory>
% grep Password nsd.ini
Password=t2GU5GN5XJWvk
%
..Next crack the DES encrypted string using your favorite cracker program.
Fix :
---------
Make the nsd.ini file readable only by it's owner.
Additional information :
------------------------
This problem was originally found by modu1e, vacuum and chameleon of the
Rhino9 security research team [www.rhino9.org]
Copyright information :
------------------------
The contents of this advisory are Copyright (c) 1998 the Rhino9 security
research team, this document may be distributed freely, as long as proper
credit is given.
Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9
##### #####
## ## ## ##
## ## ## ##
##### #####
## ## ##
## ## ##
Rhino9, The security research team.
[http://www.rhino9.org]
Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9