Shiva Access Manager全局可读LDAP密码漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105874 漏洞类型 配置错误
发布时间 2000-06-06 更新时间 2006-08-09
CVE编号 CVE-2000-0516 CNNVD-ID CNNVD-200006-022
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20003
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-022
|漏洞详情
当配置为存储配置信息在LDAP目录时,ShivaAccessManager5.0.0版本存在全局可读的明文文件存储了根DN(可分辨名称)名称和密码。本地攻用户利用此漏洞可以危及LDPA服务器。
|漏洞EXP
source: http://www.securityfocus.com/bid/1329/info

The Shiva Access Manager is a solution for centralized remote access authentication, authorization, and accounting offered by Intel. It runs on Solaris and Windows NT. Shiva Access Manager is vulnerable to a default configuration problem in its Solaris version (and possibly for NT as well, though uncomfirmed). When configuring the Access Manager for LDAP, it prompts for the root "Distinguished Name" and password. It stores this information in a textfile that is owned by root and set world readable by default, $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini. This file also contains information such as the LDAP server's hostname and server port. This information can be used to completely compromise the LDAP server. 

cat $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini

(proceed then to do whatever LDAP attacks you like)
|参考资料

来源:BUGTRAQ
名称:20000606ShivaAccessManager5.0.0PlaintextLDAProotpassword.
链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0008.html
来源:XF
名称:shiva-plaintext-ldap-password
链接:http://xforce.iss.net/static/4612.php
来源:BID
名称:1329
链接:http://www.securityfocus.com/bid/1329