Index
Bugtraq
Pełna lista
Błędy
Sztuczki
Exploity
Dorks list
Tylko z CVE
Tylko z CWE
Bogus
Ranking
CVEMAP
Świeża lista CVE
Producenci
Produkty
Słownik CWE
Sprawdź nr. CVE
Sprawdź nr. CWE
Szukaj
W Bugtraq
W bazie CVE
Po autorze
Po nr. CVE
Po nr. CWE
Po producencie
Po produkcie
RSS
Bugtraq
CVEMAP
CVE Produkty
Tylko Błędy
Tylko Exploity
Tylko Dorks
Więcej
cIFrex
Facebook
Twitter
Donate
O bazie
Lang
Polish
English
Submit
Clear Text Storage of Password in CS-MARS v6.0.4 and Earlier
2009.08.30
Credit:
ryan wessels
Risk:
Low
Local:
Yes
Remote:
No
CVE:
CVE-2009-2977
CWE:
CWE-310
Ogólna skala CVSS:
3.3/10
Znaczenie:
2.9/10
Łatwość wykorzystania:
6.5/10
Wymagany dostęp:
Sieć lokalna
Złożoność ataku:
Niska
Autoryzacja:
Nie wymagana
Wpływ na poufność:
Częściowy
Wpływ na integralność:
Brak
Wpływ na dostępność:
Brak
1. First after logging onto the console either pnlog mailto, or pnlog scpto will send the logs off of the box to a destination you specify, you can also display the logs using pnlog show. [pnadmin]$ pnlog scpto ryan (at) 10.4.61 (dot) 206 [email concealed]:/home/ryan scp /tmp/error-logs.tar.gz ryan (at) 10.4.61 (dot) 206 [email concealed]:/home/ryan/error-logs.tar.gz The authenticity of host '10.4.61.206 (10.4.61.206)' can't be established. RSA key fingerprint is cc:c5:35:ad:be:16:4e:59:6a:48:90:c3:98:9f:a3:e4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.4.61.206' (RSA) to the list of known hosts. ryan (at) 10.4.61 (dot) 206 [email concealed]'s password: error-logs.tar.gz 100% 12MB 11.6MB/s 00:01 scp /tmp/janus-logs.tar.gz ryan (at) 10.4.61 (dot) 206 [email concealed]:/home/ryan/janus-logs.tar.gz ryan (at) 10.4.61 (dot) 206 [email concealed]'s password: janus-logs.tar.gz 100% 5830KB 5.7MB/s 00:01 [pnadmin]$ 2. After transfering the logs two files are produced as shown below. root@ultidesk:~/logs# ls error-logs.tar.gz janus-logs.tar.gz root@ultidesk:~/logs# 3. After extraction the following files are created as well as a folder structre within the folder you copied the log files to. root@ultidesk:~/logs# tar -xvf janus-logs.tar.gz opt/janus/release/bin/log/server/janus_log opt/janus/release/bin/log/server/janus_log.1 opt/janus/release/bin/log/server/janus_log.2 opt/janus/release/bin/log/server/janus_log.3 opt/janus/release/bin/log/server/janus_log.4 opt/janus/release/bin/log/server/janus_log.5 opt/janus/release/bin/log/server/janus_log.6 opt/janus/release/bin/log/server/janus_log.7 opt/janus/release/bin/log/server/janus_log.8 opt/janus/release/bin/log/server/janus_log.9 tmp/raid_event.log tmp/saslog.txt root@ultidesk:~/logs# ls error-logs.tar.gz janus-logs.tar.gz opt tmp root@ultidesk:~/logs# tar -xvf error-logs.tar.gz opt/janus/release/bin/log/server/janus_log opt/janus/release/VERSION opt/janus/jboss/server/default/log/feedback/jboss.log opt/janus/jboss/server/default/log/feedback/jboss.log.1 opt/janus/jboss/server/default/log/feedback/jboss.log.2 etc/model opt/janus/jboss/server/default/log/trace/jbossStackTrace-2009-08-20_10-3 3-07_CDT.log tmp/kill-runGuardedBackcalc.log tmp/restartJBoss.log var/log/messages var/log/messages.1 var/log/messages.2 var/log/messages.3 var/log/messages.4 var/log/upgrade_1215785121.log var/log/upgrade_1215786450.log var/log/upgrade_1215787232.log var/log/upgrade_1224176330.log var/log/upgrade_1224177537.log var/log/upgrade_1224178406.log var/log/upgrade_1237838103.log var/log/upgrade_1238006432.log var/log/upgradehistory.log var/log/upgrade.log var/log/upgrade.log.1245330683 var/log/upgrade.log.1250782367 var/log/upgrade_s1238170243.log var/log/upgrade_s1245331100.log var/log/upgrade_s1250782908.log log/sysbacktrace.00 log/sysbacktrace.01 log/sysbacktrace.02 log/sysbacktrace.03 log/sysbacktrace.04 log/sysbacktrace.05 log/sysbacktrace.06 log/sysbacktrace.07 log/sysbacktrace.08 log/sysbacktrace.09 log/sysbacktrace.10 log/sysbacktrace.11 log/sysbacktrace.12 log/sysbacktrace.13 log/sysbacktrace.14 log/sysbacktrace.15 log/sysbacktrace.16 log/sysbacktrace.17 log/sysbacktrace.18 log/sysbacktrace.19 log/sysbacktrace.20 log/sysbacktrace.21 log/sysbacktrace.22 log/sysbacktrace.23 log/sysbacktrace.24 log/sysbacktrace.25 log/sysbacktrace.26 log/sysbacktrace.27 log/sysbacktrace.28 log/sysbacktrace.29 log/sysbacktrace.30 log/sysbacktrace.31 log/sysbacktrace.32 log/sysbacktrace.33 log/sysbacktrace.34 log/sysbacktrace.35 log/sysbacktrace.36 log/sysbacktrace.37 log/sysbacktrace.38 log/sysbacktrace.39 log/sysbacktrace.40 log/sysbacktrace.41 log/sysbacktrace.42 log/sysbacktrace.43 log/sysbacktrace.44 log/sysbacktrace.45 log/sysbacktrace.46 log/sysbacktrace.47 log/sysbacktrace.48 log/sysbacktrace.49 log/sysbacktrace.50 log/sysbacktrace.51 log/sysbacktrace.52 log/sysbacktrace.53 log/sysbacktrace.54 log/sysbacktrace.55 log/sysbacktrace.56 log/sysbacktrace.57 log/sysbacktrace.58 log/sysbacktrace.59 log/sysbacktrace.60 log/sysbacktrace.61 log/sysbacktrace.62 log/sysbacktrace.63 log/sysbacktrace.64 log/sysbacktrace.65 log/sysbacktrace.66 log/sysbacktrace.67 log/sysbacktrace.68 log/sysbacktrace.69 log/sysbacktrace.70 log/sysbacktrace.71 log/sysbacktrace.72 log/sysbacktrace.73 log/sysbacktrace.74 log/sysbacktrace.75 log/sysbacktrace.76 log/sysbacktrace.77 log/sysbacktrace.78 log/sysbacktrace.79 log/sysbacktrace.80 log/sysbacktrace.81 log/sysbacktrace.82 log/sysbacktrace.83 log/sysbacktrace.84 log/sysbacktrace.85 log/sysbacktrace.86 log/sysbacktrace.87 log/sysbacktrace.88 log/sysbacktrace.89 log/sysbacktrace.90 log/sysbacktrace.91 log/sysbacktrace.92 log/sysbacktrace.93 log/sysbacktrace.94 log/sysbacktrace.95 var/log/sa/sa13 var/log/sa/sa14 var/log/sa/sa15 var/log/sa/sa16 var/log/sa/sa17 var/log/sa/sa18 var/log/sa/sa19 var/log/sa/sa20 var/log/sa/sa21 var/log/sa/sar12 var/log/sa/sar13 var/log/sa/sar14 var/log/sa/sar15 var/log/sa/sar16 var/log/sa/sar17 var/log/sa/sar18 var/log/sa/sar19 var/log/sa/sar20 u01/app/oracle/admin/pndb/bdump/alert_pndb.log u01/app/oracle/admin/pndb/bdump/pn_app.log tmp/package-env.txt tmp/diskUsage.txt root@ultidesk:~/logs# ls error-logs.tar.gz etc janus-logs.tar.gz log opt tmp u01 var 3. Now executing grep for a portion of the password that MARS uses to access Windows Devices (password masked with ####). We can see that in this case every iterration of sysbacktrace.X containes 30 occurances of our password (95 files 30 occurances each = 2,850 occurances of our password): root@ultidesk:~/logs# grep -R -c ######* * error-logs.tar.gz:0 etc/model:0 janus-logs.tar.gz:0 log/sysbacktrace.84:30 log/sysbacktrace.77:30 log/sysbacktrace.47:30 log/sysbacktrace.82:30 log/sysbacktrace.95:30 log/sysbacktrace.22:30 log/sysbacktrace.40:30 log/sysbacktrace.10:30 log/sysbacktrace.65:30 log/sysbacktrace.74:30 log/sysbacktrace.68:30 log/sysbacktrace.60:30 log/sysbacktrace.37:30 log/sysbacktrace.59:30 log/sysbacktrace.88:30 log/sysbacktrace.01:30 log/sysbacktrace.89:30 log/sysbacktrace.38:30 log/sysbacktrace.16:30 log/sysbacktrace.09:30 log/sysbacktrace.53:30 log/sysbacktrace.13:30 log/sysbacktrace.23:30 log/sysbacktrace.44:30 log/sysbacktrace.06:30 log/sysbacktrace.35:30 log/sysbacktrace.04:30 log/sysbacktrace.67:30 log/sysbacktrace.69:30 log/sysbacktrace.64:30 log/sysbacktrace.66:30 log/sysbacktrace.93:30 log/sysbacktrace.79:30 log/sysbacktrace.51:30 log/sysbacktrace.31:30 log/sysbacktrace.83:30 log/sysbacktrace.29:30 log/sysbacktrace.39:30 log/sysbacktrace.25:30 log/sysbacktrace.85:30 log/sysbacktrace.80:30 log/sysbacktrace.50:30 log/sysbacktrace.73:30 log/sysbacktrace.34:30 log/sysbacktrace.33:30 log/sysbacktrace.90:30 log/sysbacktrace.61:30 log/sysbacktrace.08:30 log/sysbacktrace.46:30 log/sysbacktrace.07:30 log/sysbacktrace.32:30 log/sysbacktrace.30:30 log/sysbacktrace.92:30 log/sysbacktrace.56:30 log/sysbacktrace.03:30 log/sysbacktrace.00:30 log/sysbacktrace.18:30 log/sysbacktrace.21:30 log/sysbacktrace.91:30 log/sysbacktrace.94:30 log/sysbacktrace.54:30 log/sysbacktrace.28:30 log/sysbacktrace.42:30 log/sysbacktrace.05:30 log/sysbacktrace.86:30 log/sysbacktrace.17:30 log/sysbacktrace.75:30 log/sysbacktrace.78:30 log/sysbacktrace.41:30 log/sysbacktrace.55:30 log/sysbacktrace.15:30 log/sysbacktrace.24:30 log/sysbacktrace.14:30 log/sysbacktrace.26:30 log/sysbacktrace.58:30 log/sysbacktrace.43:30 log/sysbacktrace.45:30 log/sysbacktrace.71:30 log/sysbacktrace.52:30 log/sysbacktrace.62:30 log/sysbacktrace.57:30 log/sysbacktrace.11:30 log/sysbacktrace.49:30 log/sysbacktrace.19:30 log/sysbacktrace.63:30 log/sysbacktrace.36:30 log/sysbacktrace.20:30 log/sysbacktrace.48:30 log/sysbacktrace.02:30 log/sysbacktrace.87:30 log/sysbacktrace.27:30 log/sysbacktrace.70:30 log/sysbacktrace.12:30 log/sysbacktrace.72:30 log/sysbacktrace.76:30 log/sysbacktrace.81:30 4. Here is a grep that shows where the password is actually being recorded, it includes the system ip, the domain, the username and the password. (Username, domain, and password have been masked with ###). root@ultidesk:~/logs# grep -R rpcclient2 * | more .. log/sysbacktrace.84:0 500 9429 9428 18 0 9244 1328 - S ? 0:00 rpcclient2 //10.20.36.233/ -W #### -U #######%############# --param 10.20.36.233 system 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 9432 9431 19 0 9116 1328 - S ? 0:00 rpcclient2 //10.4.90.12/ -W #### -U #######%############# --param 10.4.90.12 security 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 9423 9422 18 0 8896 1328 - S ? 0:00 rpcclient2 //10.8.32.40/ -W #### -U #######%############# --param 10.8.32.40 system 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 7714 7713 18 0 8776 1328 - S ? 0:00 rpcclient2 //10.20.1.93/ -W #### -U #######%############# --param 10.20.1.93 security 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 9813 9812 15 0 8672 1848 - S ? 0:00 rpcclient2 //10.16.34.21/ -W #### -U #######%############# --param 10.16.34.21 security 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 9303 9302 19 0 8448 1328 - S ? 0:00 rpcclient2 //10.30.25.130/ -W #### -U #######%############# --param 10.30.25.130 system 1 1 0 RPC-EVENTLOG log/sysbacktrace.84:0 500 7702 7701 21 0 8392 1328 - S ? 0:00 rpcclient2 //10.20.1.97/ -W #### -U #######%############# --param 10.20.1.97 security 1 1 0 RPC-EVENTLOG .. 5. Granted access to the sysbacktrace logs is only possible with ssh access to the box however these logs if attached to a support ticket through email are sent in the clear, or if these log files are routinely dumped and stored the password is avliable in clear text. Additionally in most cases MARS will be monitoring Active Directory data in order to access Domain Controllers 'Domain Admin' rights must be included in the account.
Referencje:
http://www.vupen.com/english/advisories/2009/2364
http://www.securityfocus.com/bid/36098
http://www.securityfocus.com/archive/1/archive/1/505998/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/505995/100/0/threaded
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb52450
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top