Hi, the problem also applys to ArcServe 2000. This securityleak was announced by CA in the Storage-Newsletter september-edition. There is a patch for ArcServe 2000 with SP2a available from http://support.ca.com/Download/patches/asitnt/QO00945.html Couldn't find anything for ArcServe 6.61IT. Does anybody know why this share is needed? What's with removing the share? Can the mentioned permissions be used? Marcus Bednorz -----Ursprüngliche Nachricht----- Von: ron [mailto:rdr@steelrat.kernelsutra.com] Gesendet: Sonntag, 16. September 2001 06:27 An: bugtraq@securityfocus.com Betreff: ARCserve 6.61 Share Access Vulnerability I have found a vulnerability with ARCServe for NT 6.61 SP2a. I stumbled upon this while performing a vulnerability analysis. Details: The default install of ARCServe for NT creates a hidden share on Windows NT machines when it is installed. The name of this share is ARCSERVE$. The permissions of the share allow all users in a domain to map this share. However, this is not the worst part. Within the share is a file named aremote.dmp. The full path is ARCSERVE$\DR\<NAME of SERVER>\aremote.dmp. In the aremote.dmp file, the account name that runs the backup is in cleartext within this file. Also, a little further within the file, the password for the account is in cleartext. Seeing as how the account that performs backups can access system files, this is very dangerous. Some places run their backups as the NT domain administrator account. Fix: CA has been notified and will be making a patch available to all customers. Also, it _should_ be possible to change the share permissions, allowing only the backup account and the administrator access to the share. I am not sure if this is in ARCServe 2000 or in releases prior, as I have not checked them. - rdr
