From BugTraq@corsaire.com Wed May 16 02:20:18 2001 From: Martin O'Neal To: BUGTRAQ@securityfocus.com Date: Thu, 10 May 2001 10:25:34 +0100 Subject: Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -- Corsaire Limited Security Advisory -- Title: Symantec/Axent NetProwler 3.5.x database configuration Date: 07.04.01 Application: Symantec/Axent NetProwler 3.5.x Environment: WinNT Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution -- Scope -- The aim of this document is to clearly define some issues related to a potentially unsound database configuration within the NetProwler application environment as provided by Symantec/Axent [1]. -- History -- Vendor notified: 07.04.01 Document released: 09.05.01 -- Overview -- The latest version of the NetProwler intrusion detection product comes as a three-tiered architecture, consisting of agents, a management component, and a console. Both configuration and auditing information is stored within a MySQL database hosted locally on the management tier of the product. This database is exposed unnecessarily to potential network scrutiny due to being configured by default to listen to all local IP addresses. -- Analysis -- The MySQL database included with the NetProwler product is used to store both configuration and auditing information on the management tier. This is accessed via an ODBC connection on the default MySQL port (TCP/3306). Because it is possible to connect to the databases remotely, if the correct access password can be obtained (see Corsaire advisory 010317-001a [2]), it is possible to amend the data contained within them, or simply delete the databases causing a denial of service in the management tier. In theory, using this flaw it is feasible to disable the IDS capabilities of NetProwler, perform whatever attack is required, and then reconfigure the host to its prior state. As a proof of concept, a tool was created that simply deletes the NetProwler databases causing a denial of service. This was provided to the vendor, but will not be made freely available.. -- Recommendations -- The MySQL databases do not need to be accessed by remote systems, so the MySQL engine can be configured to listen to localhost only. To do this, edit the c:\my.cnf file and add the following line, then restart the host: [MySQLd] bind-address=127.0.0.1 -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID= 50&PID=3061537 [2] http://www.corsaire.com/advisories/010317-001a.txt -- Revision -- Initial release. Copyright 2001 Corsaire Limited. All rights reserved. ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey GU23 7EF Telephone:+44(0)1483-226000 Email:info@corsaire.com