lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20080211192242.b17aea08.aluigi@autistici.org>
Date: Mon, 11 Feb 2008 19:22:42 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Directory traversal in SafeNet Sentinel
 Protection and Key Server 7.4.1.0


#######################################################################

                             Luigi Auriemma

Application:  SafeNet Sentinel Protection Server
              SafeNet Sentinel Keys Server
              http://www.safenet-inc.com
Versions:     <= 7.4.1.0 (aka SPI740SecurityPatch)
Platforms:    Windows
Bug:          directory traversal
Exploitation: remote
Date:         10 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Sentinel Protection and Key Server are two simple webservers for
the monitoring of the licenses and listen respectively on ports 6002
and 7002.


#######################################################################

======
2) Bug
======


Both the webservers are affected by a directory traversal
vulnerability exploitable using the backslash delimiter (the servers
don't support hex chars) allowing an attacker to download any file in
the disk on which the services are installed.

It's funny to note that the security patch available from November 2007
was released just to fix a directory traversal vulnerability but they
dropped only the slash delimiter leaving the backslash working.


#######################################################################

===========
3) The Code
===========


GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists