Novell NetIQ Privileged User Manager modifyAccounts Security Bypass

Added: 12/07/2012
BID: 56535
OSVDB: 87335

Background

Novell NetIQ Privileged User Manager (NPUM) allows IT administrators to work on systems without exposing superuser (administrator or supervisor) passwords or root-account credentials to the administrator.

Problem

NetIQ Privileged User Manager 2.3.1 and earlier are vulnerable to an unauthenticated password reset vulnerability as a result of an error in the pa_modify_accounts() function of the auth.dll module. An attacker may reset the admin password and use the admin account to upload malicious files that they can execute on the server with SYSTEM privileges.

Resolution

Contact the vendor for a fix. Restrict network access to the NetIQ Privileged User Manager service to users of the system.

References

http://retrogod.altervista.org/9sg_novell_netiq_i_adv.htm
https://www.netiq.com/products/privileged-user-manager/

Limitations

This exploit has been tested against Novell Privileged User Manager 2.3.1 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut).

This exploit changes the password for the admin account.

Exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from http://www.cpan.org/modules/by-module/IO/.

Platforms

Windows

Back to exploit index