Home page logo
/

bugtraq logo Bugtraq mailing list archives

New getAccess[tm] Vulnerability
From: "rudi carell" <rudicarell () hotmail com>
Date: Mon, 05 Nov 2001 14:17:14


Good Morning Listmembers,

this is another posting(see 1st here http://www.securityfocus.com/bid/3109)
about Entrust s "getAccess[tm]" product


Problem Description:

"getAccess[tm]" (still) uses default shellscripts which start java-classes
for their web-applications.

due to missing input-validation it is possible to read files with getAccess
s permissions on the "getaccess"-machine. (only works in combination with
other input fields as described below)
in connection with config- and other files this can lead to a
total server-compromise(dont ask me how:-).

POC-Example:

a HTTP-request to:
http://getAccessHostname/sek-bin/helpwin.gas.bat?

with the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=

... will lead to disclosure of [FILE/PATH]

Config-Filelist(depends heavily on config .. and can be found 2 trav s back
[../../]):

/config/acl-runtime.conf
/config/administration.conf
/config/applist.conf
/config/authmethod.conf
/config/clientCert.conf
/config/connection.conf
/config/directories.conf
/config/domainAuth.conf
/config/hook.conf
/config/license.conf
/config/log.conf
/config/login.conf
/config/misc.conf
/config/pmda.conf
/config/redirection.conf
/config/registry.conf
/config/serverCert.conf
/config/serverConnection.conf
/config/source_systems.conf
/config/version.conf
/config/serverReq.pem
/config/serverCert.pem
/config/certs


Summary:

object: (helpwin.gas.bat  cgi-shell-scripts)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1)
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1)
http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
Meta Character (IV-MC-1)
http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm

remote: yes
local: ---

vendor: hast been informed with seperate e-mail
(security () entrust com/entrust () entrust com)

patch/fix: is already availiable and will be posted by entrust here today.

recomannded fix: sanitize meta-characters from user-input

personal remark: using shell-scripts for security-related software has
always been dangerous!!!


nice day,

rC




security () freefly com
rudicarell () hotmail com
http://www.freefly.com/security/

check out the brandnew Open Web Application Security project
http://www.owasp.org



































_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


  By Date           By Thread  

Current thread:
  • New getAccess[tm] Vulnerability rudi carell (Nov 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault