[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070419135927.75DC922822@mailserver9.hushmail.com>
Date: Thu, 19 Apr 2007 15:59:25 +0200
From: <rashbi@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability
> BMC has provided the following statement: "[This issue] has been
> found not to be a security vulnerability; when properly
configured
> (as described for our customers in our documentation and in our
> online knowledge base) this attack is not possible."
Anybody with some experience on BMC Patrol products know that
security levels 1 to 4 are rarely used, because of the
configuration and management overhead.
Furthermore, level 0 (the default one) isn't imho the only security
level impacted by this vulnerability (which is an anonymous r/w
access to the SNMP configuration, including full paths to
binaries), given that level 1 use anonymous SSL and that level 2
use SSL with unverified client certificate. Levels 1 and 2 will
just help an attacker to bypass your NIDS.
Interested people can have a look to the "Patrol Security User
Guide"
(http://www.bmc.com/supportu/documents/73/44/17344/17344.pdf) for
additional details.
Conclusion : pconfig/xpconfig/wpconfig or any similar custom script
can be used to hack any default install of Patrol BMC but it "has
been found not to be a security vulnerability". How sad :-(
--
Rashbi
--
Are you safe? Click for quotes on home security system. Sale!
http://tagline.hushmail.com/fc/CAaCXv1VrkoHkexqS3wgZA26NsBeBZEt/
Powered by blists - more mailing lists