Hosting
Controller Security Bulletin– July 16, 2002
Welcome
to the first edition of Hosting Controller Security
bulletin, designed to keep you abreast of news and
developments with respect to recently discovered security
issues. Before reading this bulletin, it is highly
recommended to see the article ‘How To Secure Windows
2000 Server’ in Hosting Controller Knowledgebase and
remove EVERYONE permissions at least from the server
as described in the article. See the article at
http://www.hostingcontroller.com/english/support/kb/HCKB-Article44.html.
The
information contained in this security bulletin provides
guidance on various practical issues. The contents
can be broken down into two sections: one that help
the Hosting Controller v.2002 users to understand
how to apply the security fixes, and other that help
Hosting Controller v.1.x to take the critical steps
to compliance.
S E C U R I T Y I S S U E S
Recently
we were informed about several security holes in User
Management, Folder Copy and ODBC DSN Management sections
of Hosting Controller. There are unchecked routines
in ASP scripts which allow a hacker to seek and exploit
the system level privileges by manipulating passive
form submission methods.
The
details of security bugs are not released for the
safety of those who do not become aware about the
security bulletin in timely fashion.
R I S K R A T I N G
Internet
Servers - Critical
P A T C H A V A I L A B I L I T
Y
1. Hosting Controller v.2002
Users: A patch (service pack 2) is available
for Hosting Controller v.2002 users at
http://hostingcontroller.com/english/sp/index.html.
You are required to download and apply this service
pack.
Beside
updating the vulnerable ASP files, this service pack
will change the following.
- Randomizes
‘AdvWebAdmin’ password. It is also highly recommended
to turn off terminal access for 'AdvWebAdmin'. The
terminal access can be turned off from account properties
in 'User Management' under 'Administrative Tools'.
See below for detailed instructions.
- Creates
a new group ‘HCGroup’ and move all HC users to this
new group. If you already have specified ‘HCGroup’
for creating HC users then it will remain unchanged.
- Renames
default HC ODBC DSN name to a new random name which
start with HCxxxxxxxx and updates this ODBC DSN
name in HC setting also.
2. Hosting Controller v.1.x
Users: Hosting Controller v.1.x users are
required to apply manual fix. Follow the procedure
below.
Reset AdvWebAdmin password: ‘AdvWebAdmin’
is the anonymous user for Hosting Controller virtual
directory. You need to reset its password. The password
should be more than 13 characters long and should
consist of special characters e.g. ‘aLpHa@23HiT!’.
Also turn off terminal access of this user.
To
Reset ‘AdvWebAdmin’ password:
- Open
Computer Management. To open Computer Management,
click ‘Start’, point to ‘Settings’,
and then click ‘Control Panel’. Double-click
‘Administrative Tools’, and then double-click
‘Computer Management’.
- In
the console tree, click ‘Local Users and Groups’.
Click ‘Users’.
- Click
‘AdvWebAdmin’ user account.
- Click
‘Action’, and then click ‘Set Password’.
To
Turn Off Terminal Access:
- Open
Computer Management. To open Computer Management,
click ‘Start’, point to ‘Settings’,
and then click ‘Control Panel’. Double-click
‘Administrative Tools’, and then double-click
‘Computer Management’.
- In
the console tree, click ‘Local Users and Groups’.
Click ‘Users’.
- Click
‘AdvWebAdmin’ user account.
- Click
‘Action’, and then click ‘Properties’.
Click 'Terminal Service Profile' tab and
turn off 'Allow logon to terminal server'
check box. Click 'Ok'.
Remove
User Group from registry: Because Windows by
default gives ‘Read’ permission to ‘Users’ group
therefore anyone can read registry using any scripting
language such as ASP. An attacker can read the registry
and get HC database DSN name to manipulate the database.
As a result of this, one can get even system level
privileges.
To Remove The Users Group Permission:
- Click
Start, Run and enter ‘regedt32’.
- Select
‘HKEY_LOCAL_MACHINE’ on Local
Machine. Double click ‘SOFTWARE’, and then
double click on ‘Advanced Communications’.
- Click
‘Security’ on the menu, click ‘Permissions’
and clear the check box ‘Allow inheritable permissions
from parent to propagate to this object’. Click
‘Copy’ when you get an alert prompt. Now
select ‘Users’ and click on ’Remove’
Button. Click ‘OK’.
Rename
Hosting Controller ODBC DSN Name: This step is
required only if your HC ODBC DSN name is 'HCDatabase'.
To
Rename ODBC DSN Name:
- Open
Data Sources (ODBC). To open Data Sources (ODBC),
click' Start', point to 'Settings',
and then click 'Control Panel'. Double-click
'Administrative Tools', and then double-click
'Data Sources (ODBC)'.
- Click
'System DSN' tab, select DSN 'HCDatabase'
and click on 'Configure' button which will
display DSN configuration dialog.
- Enter
a different name in 'Data Source Name' box
and click 'Ok' button.
- Open
Hosting Controller Settings utility and provide
this new name in 'Data Source Name' box under
'General' tab. Click 'Ok'
Apply
UpdateUser Hot Fix: Download and apply UpdateUser
Security Hot Fix from
http://www.hostingcontroller.com/english/patches/ForAll/download/UpdateUser.zip.
Instructions for applying the hot fix are included
in the zip package.
C R E D I T S:
Ben
Maurer (http://theratnerschool.org)