lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 16 Jan 2007 08:37:15 +0000
From: "dj flotek" <djflotek@...mail.com>
To: dante@...ghieri.org, full-disclosure@...ts.grok.org.uk
Subject: Re: Remedy Action Request System 5.01.02 -
	UserEnumeration

I regularly used to use Remedy in my previous duties. And okay, the 
authentication process does output a message specifying whether the user 
exists or not, and that is not a desirable aspect of any system.

I would like to say however, that Remedy was the most efficient system that 
I was aware of during the time of providing support with multiple 
systems+users. It has its problems, though I think it is fairly stable. And 
largley stable compared with other 'supposed call logging systems'. Having 
said that, I have not had any time to poke n probe it at all.

Seeing as most call logging systems for IT support are provided within a 
LAN/Secure W/LAN environment, the issue seems to be not so URGENT/SERIOUS. I 
mean, it is far easier to track instances of authentication login attempts 
in such a scenario, given certain security enforcements and params. I would 
think, others may disagree.

Yes, systems should not report whether a user does or does NOT exist, and 
such systems as Remedy can be used within any environment. But you would 
have to think that sys-admin's with any sense about them, would be aware to 
such issues with 3rd party app's, and take action accordingly ...

| dot dot dot |




>From: "Davide Del Vecchio" <dante@...ghieri.org>
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] Remedy Action Request System 5.01.02 - 
>UserEnumeration
>Date: Mon, 15 Jan 2007 17:55:24 +0100
>
>=======================================================
>  Remedy Action Request System User Enumeration
>=======================================================
>
>Davide Del Vecchio Adv#11
>
>Discovered in: 08/01/2007
>
>Version affected: Remedy Action Request System 5.01.02 Patch 1267.
>The same vulnerable code could be present in other versions.
>
>Reference: http://www.alighieri.org/advisories/advisory-remedy50102.txt
>
>Software description:
>
>  From BMC Software website:
>  "Remedy Action Request System 5.01.02 provides a consolidated Service
>  Process Management platform for automating and managing Service
>  Management business processes."
>
>
>The problem:
>
>  During user login phase, it is possible to enumerate existing users
>  examining the error messages provided by the software.
>
>  Suppling a non-existing user the error message is:
>
>
>  ARERR [612] No such user is registered with this server
>	user: test,  server: 10.10.10.11
>
>  Unable to successfully log in to any server.
>
>
>  Suppling an existing user the error message is:
>
>
>  ARERR [329] Invalid password for an existing user
>	user: user,  server: 10.10.10.11
>
>  Unable to successfully log in to any server.
>
>
>Solution:
>
>  Vendor has been contacted 3 times with no answer.
>
>
>Credits:
>
>  Davide Del Vecchio would like to thank his family and all
>  the people supporting him and his research.
>  Support the rosewitch project.
>
>
>Disclaimer:
>
>  The information within this paper may change without notice. Use of this
>  information constitutes acceptance for use in an AS IS condition.
>  There are NO warranties with regard to this information. In no event 
>shall
>  the author be liable for any damages whatsoever arising out of or in
>  connection with the use or spread of this information. Any use of this
>  information is at the user's own risk.
>  ^^^^^^^^
>
>Please send suggestions, updates, and comments to:
>Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org
>http://www.alighieri.org ~ http://legaest.blogspot.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Advertisement: Meet Sexy Singles Today @ Lavalife - Click here  
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D23769&_t=754951090&_r=endtext_lavalife_dec_meet&_m=EXT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ