OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: rudi carell (rudicarellhotmail.com)
Date: Mon Nov 05 2001 - 14:17:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Good Morning Listmembers,

    this is another posting(see 1st here http://www.securityfocus.com/bid/3109)
    about Entrust s "getAccess[tm]" product

    Problem Description:

    "getAccess[tm]" (still) uses default shellscripts which start java-classes
    for their web-applications.

    due to missing input-validation it is possible to read files with getAccess
    s permissions on the "getaccess"-machine. (only works in combination with
    other input fields as described below)
    in connection with config- and other files this can lead to a
    total server-compromise(dont ask me how:-).

    POC-Example:

    a HTTP-request to:
    http://getAccessHostname/sek-bin/helpwin.gas.bat?

    with the following parameters:
    mode=
    &draw=x
    &file=x
    &module=
    &locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
    &chapter=

    ... will lead to disclosure of [FILE/PATH]

    Config-Filelist(depends heavily on config .. and can be found 2 trav s back
    [../../]):

    /config/acl-runtime.conf
    /config/administration.conf
    /config/applist.conf
    /config/authmethod.conf
    /config/clientCert.conf
    /config/connection.conf
    /config/directories.conf
    /config/domainAuth.conf
    /config/hook.conf
    /config/license.conf
    /config/log.conf
    /config/login.conf
    /config/misc.conf
    /config/pmda.conf
    /config/redirection.conf
    /config/registry.conf
    /config/serverCert.conf
    /config/serverConnection.conf
    /config/source_systems.conf
    /config/version.conf
    /config/serverReq.pem
    /config/serverCert.pem
    /config/certs

    Summary:

    object: (helpwin.gas.bat cgi-shell-scripts)

    class: Reffering to OWASP-IV (Input Validation Classes)

    Directory Traversal (IV-DT-1)
    http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
    Null Character (IV-NC-1)
    http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
    Meta Character (IV-MC-1)
    http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm

    remote: yes
    local: ---

    vendor: hast been informed with seperate e-mail
    (securityentrust.com/entrustentrust.com)

    patch/fix: is already availiable and will be posted by entrust here today.

    recomannded fix: sanitize meta-characters from user-input

    personal remark: using shell-scripts for security-related software has
    always been dangerous!!!

    nice day,

    rC

    securityfreefly.com
    rudicarellhotmail.com
    http://www.freefly.com/security/

    check out the brandnew Open Web Application Security project
    http://www.owasp.org

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp