From advisory@rapid7.com Fri Nov 30 23:46:00 2001 From: Rapid 7 Security Advisories X-Sender: advisory@liam.rapid7.com (Unverified) To: bugtraq@securityfocus.com Date: Fri, 30 Nov 2001 10:16:16 -0800 Subject: Rapid 7 Advisory R7-0002: Alchemy Eye Remote Unauthenticated Log Viewing -----BEGIN PGP SIGNED MESSAGE----- _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0002: Alchemy Eye Remote Unauthenticated Log Viewing Published: November 30, 2001 Revision: 1.0 CVE ID: CAN-2001-0870 Bugtraq ID: 3598 1. Affected system(s): KNOWN VULNERABLE: o Alchemy Eye and Alchemy Network Monitor v1.9x through v2.6.18 Apparently NOT VULNERABLE: o Alchemy Eye v2.6.19 and greater (web access disabled by default) o Alchemy Eye v1.7 (has no web access feature) o Alchemy Eye v1.8 (has no web access feature) 2. Summary Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains a built-in HTTP server for remote monitoring and control. This HTTP server is enabled by default in vulnerable versions of the software, requiring no authentication. The HTTP feature allows remote users to view the network monitoring logs. These logs can contain internal IP addresses and other information about your network (depending on what monitoring you've set up). The Common Vulnerabilities and Exposures (CVE) project has assigned the identifier CAN-2001-0870 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Bugtraq has assigned the identifier 3598 to this vulnerability. More information on Bugtraq can be found at http://www.securityfocus.com . 3. Vendor status and information Alchemy Eye Alchemy Labs, Inc. http://www.alchemy-lab.com/products/eye/ Alchemy Network Monitor DEK Software, Inc. http://www.deksoftware.com/alchemy/ Vendors notified 7/25/2001. HTTP is disabled by default starting with version 2.6.19, released in early August 2001. 4. Solution If you are using any of the vulnerable versions, we suggest the following: (a) Disable HTTP access completely via Preferences. You must restart the product for this to take effect. or, (b) Require HTTP authentication via Preferences. You must restart the product for this to take effect. This is only possible with versions 2.6.x and later (earlier versions have no authentication option). (c) Lock down the ACLs of the directory where you installed the product. The username and password for HTTP authentication are stored in cleartext in the file eye.ini. 5. Detailed analysis Vulnerable versions install by default with web access enabled. This allows remote users to view the logs. The product stores all its settings in a file called eye.ini. If you choose to enable HTTP and require authentication, the eye.ini file will contain the following section: [Web settings] Port to listen=80 Allow web access=1 Login=webuser Password=webpass Where "webuser" is the username and "webpass" is the cleartext password. 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2001 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory in electronic media only, providing that no changes are made and that the copyright notices and disclaimers remain intact. This advisory may not be printed or distributed in non-electronic media without the express written permission of Rapid 7, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQEVAwUBPAfM7+stPa8cHEsJAQG9SQf/UXJdBsfnrltZlipIS9amaDJJh9UDt3A9 P0xkTcHKqWr0Iva64E2MlwhPfvtf3F+X/K+O3OtsZ+2KMiwCr60ySuBLtKy+KOTB Y5m0/W46JyydgmSSze+ZtsdvPxZQRgDydGNC8dxONsQNdjTGVHka7WanDJCSR5JK Ket+HMJaNmua2j7ypnkfDc2P7VPQOcuAzqWfC6SolLYcd897jA0735MSmFfwGBb8 QooXApmHX16EzwVLzk1nvOprcbxuQmsl2QpLS2TrZv1VsbH6V+7bRu9QL9FY00Wc ziJP+MmK1kgSsw2B8WzMFKH8HvVhOUoZ26Ah2wgzqERw4thPa82qhg== =mM1x -----END PGP SIGNATURE-----