lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 19 Jan 2008 12:41:58 +0100
From: "oliver karow" <oliver.karow@....de>
To: <bugtraq@...urityfocus.com>
Cc: "oliver karow" <oliver.karow@....de>, <security@...defender.com>
Subject: BitDefender Update Server - Unauthorized Remote File Access Vulnerability

BitDefender Update Server - Unauthorized Remote File Access Vulnerability
====================================================

* Affected Products:
 - BitDefender Security for Fileservers
 - BitDefender Enterprise Manager (BDEM)
 - All BitDefender Products, using their internal update server product

* Discovered by: Oliver Karow 
    http://oliver.greyhat.de/2008/01/19/bitdefender-unauthorized-remote-file-access-vulnerability/

* Vulnerable platform: Windows

* Vulnerable Version: N/A

Product/Company-Information:
=====================

- From Bitdefender's web site: 

"BitDefenderT provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, Spain and Fort Lauderdale (FL), USA. 

.....The Update Server allows you to set up an upgrade location within your local network. This way you needn't worry about updating the products installed on computers that are not connected to the Internet, achieving, at the same time, faster updates and reduced
Internet traffic. The BitDefender Update Server is easy to configure through an intuitive step by step wizard. It will help you get the latest updates for all BitDefender products."

Vulnerability / Exploit
===============

The Update Server, which is part of several of BitDefender's Enterprise products, is running an Http-Daemon. The http.exe process is running with localsystem privileges and is vulnerable to the plain old directory traversal vulnerability. Thus it is possible to access files outside of the applications root directory with the named privileges.

To exploit simply do an 

    echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>

or use your webbrowser :)

History:
======
* Date of Discovery: 07. Dec. 2007
* Mail to vendor: 16. Jan. 2008; security@...defender.com
* Response from Vendor: 18. Jan. 2008; Requesting me to open an account to get access to BitDefender's Support :)
* Advisory Release: 19. Jan. 2008

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ