Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 ##### ##### ## ## ## ## ## ## ## ## ##### ##### ## ## ## ## ## ## Rhino9, The security research team. [http://www.rhino9.org] Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 security advisory #1 --------------------------- Title : Vulnerability in AOL Server 2.2 (Unix) Date : 22nd January 1998 Authors : modu1e, chame|eon, vacuum Problem : --------- Any local user is able to retrieve the encrypted password of the AOLserver's nsdadmin account, the password system uses DES, so the attacker can crack the password using the appropriate software. This is because the nsd.ini file, which AOLserver uses to set up it's port settings and other characteristics, is world-readable. Impact : --------- The nsadmin account can be compromised and then used to modify the AOLserver configuration, change passwords or shutdown the server. Once a local user has cracked the password, he is then able to use a web browser to reconfigure the server by visiting the following URL.. http://host.to.attack.com:9876/NS/Setup We use port 9876 because it was defined in the nsd.ini file as : [ns/setup] Port=9876. Once at the password prompt, the attacker simply enters the nsadmin username and the password that he cracked. The attacker now has complete control over the AOLserver. Exploit : --------- Locally, locate the AOLserver directory (find / -name nsd.ini), and follow these simple steps.. % cd % grep Password nsd.ini Password=t2GU5GN5XJWvk % ..Next crack the DES encrypted string using your favorite cracker program. Fix : --------- Make the nsd.ini file readable only by it's owner. Additional information : ------------------------ This problem was originally found by modu1e, vacuum and chameleon of the Rhino9 security research team [www.rhino9.org] Copyright information : ------------------------ The contents of this advisory are Copyright (c) 1998 the Rhino9 security research team, this document may be distributed freely, as long as proper credit is given. Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 ##### ##### ## ## ## ## ## ## ## ## ##### ##### ## ## ## ## ## ## Rhino9, The security research team. [http://www.rhino9.org] Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9 Rhino9