Vulnerability

    Insight Agent (Compaq PFCUser account)

Affected

    WinNT with 4.20D release of the Compaq Management Agents

Description

    Owen Cunningham found following.  Compaq does not seem to be doing
    impressive things with its security  lately.  He just updated  the
    Compaq Insight Agents from version  4.22 to 4.23 and noticed  that
    choosing the "express update" option automatically added a PFCUser
    account to  the system.   By default  this account  belongs to the
    local Administrators  group, and  is granted  advanced user rights
    that even  the Administrators  group doesn't  ordinarily get (i.e.
    "Act  as  part  of   the  operating  system,"  "Debug   programs,"
    "Generate security audits," and "Replace a process level  token").
    The kicker is, the  installation program gives no  indication that
    it is  going to  create this  account:   it doesn't  warn you, ask
    you, or anything else.

    The PFCUser  account is  installed by  the PATROL  agent, which is
    part  of  the  OS-management  functionality  of the Compaq Insight
    Agents that  Compaq licensed  from BMC  Software.   CIA setup will
    explicitly  prompt   you  for   your  preference   regarding  this
    functionality with the following dialog box:

      "Compaq Insight  Manager has  added OS  management for Microsoft
      Windows NT  environments to  its superior  hardware availability
      management, by integrating key technology from BMC Software into
      the Compaq Insight Management  Agent for Windows NT.  Please see
      \Agents\Win-nt\Eng\README.TXT for details."

    It  then  asks  "Do  you  wish  to  install  these  OS  management
    components?"  If  you answer Yes,  BMC PATROL gets  installed, and
    the PFCUser account gets  created; if No, BMC  PATROL installation
    is skipped,  and the  PFCUser account  never touches  your system.
    This  behavior   is  identical   for  versions   4.22  and   4.23.
    Incidentally,  the  README.TXT  mentioned  in  the  dialog   above
    contains  no  information  whatsoever  about  the PFCUser account.
    Especially  damning  is  the  fact  that  this document supposedly
    contains  instructions  on  removing  BMC  PATROL,  but  does  not
    instruct us  to delete  the PFCUser  account (which,  in my  mind,
    would be a  vital step in  uninstallation).  Another  odd behavior
    of BMC PATROL is to edit the

        %Systemroot%\system32\drivers\etc\services

    file so  that the  line for  snmp, which  ordinarily is defined to
    161/udp, is  instead defined  to 3161/udp.   (Courteously  enough,
    the doctored line does contain the comment "edited by PFC"!)

    After installing  BMC Patrol  twice, deleting  the PFCUser account
    between installations Owen dumped the hashes of both.  The  hashes
    are  identical,  meaning  that  the  password  is  *not*  uniquely
    generated upon  each installation.  For those  of you  who have  a
    PFCUser account out there, please use pwdump2 or the like to  grab
    the hash and see if it matches the following:

        5587afa83c5560fe9bbce258aadddcc0:989135220b8d9f7a57076280ac93c76f

    This is the hash assigned  to PFCUser *both* times it  was created
    during my tests.   Playing with L0phtcrack,  first, just with  the
    hex  characters  "01234567890ABCDEF"  because  many passwords that
    are generated by programs are just MD5 hashes converted to  ASCII.
    Sure  enough   in  about   4  minutes   up  popped   the  password
    "240653C9467E45".

Solution

    The Compaq Foundation Agents v4.40B with fixes for PFCUser  issues
    is  now  available  for  download.   The  SoftPaq  is available as
    SP10629 on the Compaq web site. Links to this SoftPaq can be found
    on the Compaq Insight Manager download pages on

        http://www.compaq.com/sysmanage