lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080211192242.b17aea08.aluigi@autistici.org> Date: Mon, 11 Feb 2008 19:22:42 +0100 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org Subject: Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0 ####################################################################### Luigi Auriemma Application: SafeNet Sentinel Protection Server SafeNet Sentinel Keys Server http://www.safenet-inc.com Versions: <= 7.4.1.0 (aka SPI740SecurityPatch) Platforms: Windows Bug: directory traversal Exploitation: remote Date: 10 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Sentinel Protection and Key Server are two simple webservers for the monitoring of the licenses and listen respectively on ports 6002 and 7002. ####################################################################### ====== 2) Bug ====== Both the webservers are affected by a directory traversal vulnerability exploitable using the backslash delimiter (the servers don't support hex chars) allowing an attacker to download any file in the disk on which the services are installed. It's funny to note that the security patch available from November 2007 was released just to fix a directory traversal vulnerability but they dropped only the slash delimiter leaving the backslash working. ####################################################################### =========== 3) The Code =========== GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0 ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists