Date: Sun, 21 Feb 1999 21:19:42 -0500 From: Weld Pond To: BUGTRAQ@netspace.org Subject: Severe Security Hole in ARCserve NT agents (fwd) ---------- Forwarded message ---------- Date: Sun, 21 Feb 1999 17:44:55 -0500 >From: ELVIS To: news@rootshell.com Cc: hotnews@l0pht.com, CAI , security@microsoft.com Subject: Severe Security Hole in ARCserve NT agents This is absolutely pathetic. You can obtain user names and passwords used by ARCserve NT agents when an NT system is backed up over a TCP/IP network. Usually, for complete access to the system, these accounts will be granted administrator rights. This only affects the "stock" NT agents. The Exchange and SQL backup agents appear to use NTLANMAN authentication (which has its own problems). There are probably similar exploits available over IPX/SPX and NetBEUI, but this note only covers TCP/IP. Set your sniffer (Network Monitor from Systems Management Server will do) to listen for TCP/IP packets directed to port 6050 (17A2 hex). This will be the ARCserve server connecting to the remote client. The third packet you get is the one you want. The user name will be at offset 0x00EE in clear ASCII text. The password will be at offset 0x011E. Simply XOR these bytes with the ASCII values of the string "Ambuf1,et(0,21)", minus quotes of course, to get the PLAIN TEXT password! ACK! YOU THOUGHT MICROSOFT WAS BAD!!!! GAG! BARF! These people SHOULD BE ASHAMED OF THEMSELVES!!!! If you bother to search, you will find "Ambuf1,et(0,21)" in no less than 17 ARCserve EXE's and DLL's. It is suggested that all ARCserve customers cease using the NT agents immediately if not sooner.