RemoteAdmin/AOL Server 2.2

                   Vulnerability in AOL Server 2.2 (Unix)

                   SYSTEMS AFFECTED
                   Unix Servers Running AOL Server 2.2

                   PROBLEM
                   Any local user is able to retrieve the encrypted password of the
                   AOLserver's nsdadmin account, the password system uses DES, so the
                   attacker can crack the password using the appropriate software. This is
                   because the nsd.ini file, which AOLserver uses to set up it's port settings
                   and other characteristics, is world-readable.

                   IMPACT
                   The nsadmin account can be compromised and then used to modify the
                   AOLserver configuration, change passwords or shutdown the server.
                   Once a local user has cracked the password, he is then able to use a
                   web browser to reconfigure the server by visiting the following URL..

                   'http://host.to.attack.com:9876/NS/Setup'

                   We use port 9876 because it was defined in the nsd.ini file as:

                   [ns/setup] Port=9876.

                   Once at the password prompt, the attacker simply enters the nsadmin
                   username and the password that he cracked. The attacker now has
                   complete control over the AOLserver.

                   EXPLOIT
                   Locally, locate the AOLserver directory (find / -name nsd.ini), and
                   follow these simple steps..

                   % cd <AOLserver directory>
                   % grep Password nsd.ini
                   Password=t2GU5GN5XJWvk 
                   %

                   ..Next crack the DES encrypted string using your favorite cracker
                   program.

                   SOLUTION
                   Make the nsd.ini file readable only by it's owner.

                   The contents of this advisory are Copyright (c) 1998 the Rhino9 security
                   research team, this document may be distributed freely, as long as
                   proper credit is given.