Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9

                               #####     #####
                               ##  ##   ##  ##
                               ##  ##   ##  ##
                               #####     #####
                               ##  ##       ##
                               ##  ##       ##

                      Rhino9, The security research team.
         
                           [http://www.rhino9.org]

 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9


 Rhino9 security advisory #1
 ---------------------------

   Title   :  Vulnerability in AOL Server 2.2 (Unix)
   Date    :  22nd January 1998
   Authors :  modu1e, chame|eon, vacuum

 Problem :
 ---------

 Any local user is able to retrieve the encrypted password of the AOLserver's
 nsdadmin account, the password system uses DES, so the attacker can crack the
 password using the appropriate software. This is because the nsd.ini file,
 which AOLserver uses to set up it's port settings and other characteristics,
 is world-readable.


 Impact  :
 ---------

 The nsadmin account can be compromised and then used to modify the
 AOLserver configuration, change passwords or shutdown the server.
 Once a local user has cracked the password, he is then able to use a web
 browser to reconfigure the server by visiting the following URL..

 http://host.to.attack.com:9876/NS/Setup

 We use port 9876 because it was defined in the nsd.ini file as :

 [ns/setup] Port=9876.

 Once at the password prompt, the attacker simply enters the nsadmin username
 and the password that he cracked. The attacker now has complete control over
 the AOLserver.


 Exploit :
 ---------

 Locally, locate the AOLserver directory (find / -name nsd.ini), and follow
 these simple steps..

   % cd <AOLserver directory>
   % grep Password nsd.ini
   Password=t2GU5GN5XJWvk 
   % 

 ..Next crack the DES encrypted string using your favorite cracker program.


 Fix     :
 ---------

 Make the nsd.ini file readable only by it's owner.


 Additional information :
 ------------------------

 This problem was originally found by modu1e, vacuum and chameleon of the
 Rhino9 security research team [www.rhino9.org]


 Copyright information  :
 ------------------------

 The contents of this advisory are Copyright (c) 1998 the Rhino9 security
 research team, this document may be distributed freely, as long as proper
 credit is given.


 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9

                               #####     #####
                               ##  ##   ##  ##
                               ##  ##   ##  ##
                               #####     #####
                               ##  ##       ##
                               ##  ##       ##

                      Rhino9, The security research team.
         
                           [http://www.rhino9.org]

 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9