Vulnerability

    RemoteAdmin/AOL Server 2.2

Affected

    Unix Servers Running AOL Server 2.2

Description

    Following info is based on Rhino9 Advisory #1.  Any local user  is
    able  to  retrieve  the  encrypted  password  of  the  AOLserver's
    nsdadmin account, the  password system uses  DES, so the  attacker
    can crack the  password using the  appropriate software.   This is
    because the nsd.ini file, which AOLserver uses to set up it's port
    settings  and  other  characteristics,  is  world-readable.    The
    nsadmin account  can be  compromised and  then used  to modify the
    AOLserver configuration, change passwords or shutdown the  server.
    Once a local user has cracked the password, he is then able to use
    a web browser to reconfigure the server by visiting the  following
    URL:

        http://host.to.attack.com:9876/NS/Setup

    Here we use port 9876 because  it was defined in the nsd.ini  file
    as:

        [ns/setup] Port=9876.

    Once  at  the  password  prompt,  the  attacker  simply enters the
    nsadmin username and the password  that he cracked.  The  attacker
    now has  complete control  over the  AOLserver.   To exploit this,
    you   must   first   locally   locate   the   AOLserver  directory
    (find / -name nsd.ini), and follow these simple steps:

        % cd <AOLserver directory>
        % grep Password nsd.ini
        Password=t2GU5GN5XJWvk
        %

    Next, crack the DES  encrypted string using your  favorite cracker
    program.

Solution

    Make the nsd.ini file readable only by it's owner.