Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:841
HistoryOct 27, 2000 - 12:00 a.m.

[CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug

2000-10-2700:00:00
vulners.com
16
JSON
                          CORE SDI
                    http://www.core-sdi.com

Vulnerability Report For iPlanet CMS and Netscape Directory Server

Date Published: 2000-10-26

Advisory ID: CORE-2000-10-26

Bugtraq ID: 1839

CVE CAN: Non currently assigned.

Title: Path traversal and administrator password in clear text
vulnerabilities

Class: Access Validation Error/Design Error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vulnerability Description:

Netscape (iPlanet) Certificate Management System, Netscape
Directory Server and Netscape Administration Servers share components which
suffer from two notable vulnerabilities.

  1. Path Traversal Vulnerability

The first vulnerability is a classic path traversal vulnerability
whereby a user can supply a crafted URL and access files outside the web
root
directory. This will result in the remote user being able to read/download
any files which the server itself (based on it's permissions) may access.

  1. Admininistrator password is stored in clear text

The 'Admin' password for these packages is stored in plaintext in
admin-serv\config\adm.conf. This in addition to the previous
vulnerability will allow anyone to obtain the password remotely and
perform admin duties if net access to the admin server is
available

Vulnerable Packages/Systems:

Netscape Certificate Management System 4.2 (MS Windows NT 4.0 version)
Netscape Directopy Server 4.12 (MS windows NT 4.0 version)

Solution/Vendor Information/Workaround:

Contact the vendor for a fix. Patches for IPlanet products
can be obtained from
http://www.iplanet.com/downloads/patches.index.html

Additionally, advisories and information on security issues
of these particular Netscape products can be obtained from:

(iPlanet) Certificate Management System

    http://www.securityfocus.com/bid/676

Netscape Directory Server

    http://www.securityfocus.com/bid/676

Vendor notified on: 10/02/2000

Credits:

These vulnerabilities were found by Emiliano Kargieman and
Agustin Kato Azubel from CORE SDI S.A., Buenos Aires, Argentina.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories
please mail [email protected].

Technical Description - Exploit/Concept Code:

Several components installed by CMS 4.2 for Windows NT 4.0 allow an
attacker
to read/download any file outside the web root directory provided that
access
to any of the following servers is given:

  • The Agent services server on port 8100/tcp

  • The End Entity services server on port 443/tcp (This is normally
    accessable for any user over SSL)

  • The Administrator services server listening on a random port
    choosen during the installation process, or on port 8200 if
    configured to do so (not the default behavior).

    By using '\…/' in the URI an attacker can get out
    of the server's root directory and open any file.
    The following example demostrates the problem using the
    End Entity services server:

    A request for https://server/ca/\../\../\../\../\../\win.ini will
    open and display the requested file

. Admin password is stored in plantext in admin-serv\config\adm.conf.
This in addition to the previous bug will allow anyone to obtain the
password
remotely and perform admin duties if net access to the admin server is
available.

DISCLAIMER:

The contents of this advisory are copyright (c) 2000 CORE SDI S.A.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: iPlanet-path-and-adminpw-advisory.txt,v 1.4 2000/10/26 20:55:58 iarce
Exp $

"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Ivбn Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : [email protected]
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402

— For a personal reply use [email protected]

JSON