RemoteAdmin/AOL Server 2.2 Vulnerability in AOL Server 2.2 (Unix) SYSTEMS AFFECTED Unix Servers Running AOL Server 2.2 PROBLEM Any local user is able to retrieve the encrypted password of the AOLserver's nsdadmin account, the password system uses DES, so the attacker can crack the password using the appropriate software. This is because the nsd.ini file, which AOLserver uses to set up it's port settings and other characteristics, is world-readable. IMPACT The nsadmin account can be compromised and then used to modify the AOLserver configuration, change passwords or shutdown the server. Once a local user has cracked the password, he is then able to use a web browser to reconfigure the server by visiting the following URL.. 'http://host.to.attack.com:9876/NS/Setup' We use port 9876 because it was defined in the nsd.ini file as: [ns/setup] Port=9876. Once at the password prompt, the attacker simply enters the nsadmin username and the password that he cracked. The attacker now has complete control over the AOLserver. EXPLOIT Locally, locate the AOLserver directory (find / -name nsd.ini), and follow these simple steps.. % cd % grep Password nsd.ini Password=t2GU5GN5XJWvk % ..Next crack the DES encrypted string using your favorite cracker program. SOLUTION Make the nsd.ini file readable only by it's owner. The contents of this advisory are Copyright (c) 1998 the Rhino9 security research team, this document may be distributed freely, as long as proper credit is given.