Next Page >>
checks
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords:
1.1- http://[HC URL]/hosting/addreseller.asp?reseller=[USERNAME] -> for ex. [USERNAME]= resadmin
1.2- Now, to login without changing the password, attacker must run "ChangeDisplay.htm" then redirect to "main.asp"
~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1'
frmDisplay.action = window.document.all.URL.value + _action
return true;
}
</script>
device control.
Both control codes are used for an object name retrieval, through
ZwQueryObject() method or
ObReferenceObjectByHandle()/ObQueryNameString() methods. Input buffers
for both IRP packets include user mode pointers which are completely
user-controllable. However, no checks regarding NULL pointers, invalid
input buffer length, or otherwise invalid pointers are made - user can
pass NULL input buffer and thus cause a BSOD.
Vulnerable code disassembly excerpt:
---
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
####################
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
To be perfectly clear I was not aware of the path truncation issue
(damn!) and the use for this vulnerability was different in my mind.
If you read the discussion in [4] it was about checks. While ereg*()
functions can be poisoned by nullbytes, preg_*() and string functions
like substr() are binary safe.
So if there is a "blacklist" or negative check you can bypass it with
path normalization:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
not set, FWS uses the IP address of the connecting party.
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
source are available through CodePlex at
http://websecuritytool.codeplex.com/. A screenshot of the reporting screen
is also there.
This tool provides pen-testers hot-spot detection for vulnerabilities,
developers quick sanity checks, and auditors PCI compliance auditing. It
looks for issues related to mashups, user-controlled payloads, cookies,
comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information
disclosure, Unicode, and more.
Major Features:
4. *Vulnerable packages*
. Google SketchUp 7.0.10247
. Google SketchUp 7.1.4871
. Google SketchUp 7.1.6087
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Google SketchUp 7.1.6860 (Windows)
. BitDefender Antivirus 2008 Build 11.0.11
. Comodo Firewall Pro 2.4.18.184
. Sophos Antivirus 7.0.5
. Rising Antivirus 19.60.0.0 and 19.66.0.0
. Older versions may be affected, but were not checked.
*Non-vulnerable Packages*
. BitDefender Antivirus 2008 builds available through automatic updates,
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
$this->db->mySQLSafe($GLOBALS[CC_ADMIN_SESSION_NAME]));
This will select the fields for the administrative user corresponding to
the session identified by sessID.
But when the administrative user is logged out, sessID is empty. So, we
can bypass this check by using an empty sessID.
There are 2 more checks that need to be bypassed:
There is this piece of code:
if (strpos($_SERVER['HTTP_USER_AGENT'],'AOL') == false &&
issues can be found in plog-download.php, and plog-remote.php
As mentioned earlier this issue also allows for the download
of arbitrary files on the target web server.
elseif($type == "album" || $type == "search"){
foreach ($checked as $pid){
$query = "SELECT * FROM `".TABLE_PREFIX."pictures` WHERE
`id`='".$pid."'";
$result = run_query($query);
while ($row = mysql_fetch_assoc($result)){
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
In addition if we enter as user name: "><script>alert(/XSS/);</script>,
then we have another XSS.
B) Path Disclosure Vulnerabilities
The program checks the value of a non existent parameter. This produces
an error that discloses the absolute installation path:
http://www.example.com/cacti/graph.php?local_graph_id=1
Other vulnerable code exists since in Cacti PHP errors are displayed as
R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011
-- Vulnerability Details:
The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.
Examples of exposed files include:
https://server/conf/ssl/apache/integrity-smartcenter.cert
=======================================================================
title: Symlink Following and Second-Order Symlink
Vulnerabilities in Multiple Check Point Security Management Products
product: Check Point Security Management
* Multi-Domain Security Management / Provider-1
* SmartCenter
vulnerable version: multiple products, see sections below
fixed version: multiple products, see sections below
CVE number: CVE-2011-2664
impact: high
On Wed, Oct 28, 2009 at 10:30:37PM +0100, Pavel Machek wrote:
> On Tue 2009-10-27 11:49:32, CaT wrote:
> > On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> > > and testing them. Remember the scenario from the original mail and try
> > > finding a window, during which creating a hardlink would still work thus
> > > evading directory permissions check.
> >
> > The main thing this does is allow a hardlink-like attack to work across
> > mountpoints afaics.
>
> Yes, plus it allows "hardlinks" on deleted files, and this "strange
- Exploits/PoCs:
####################
+--> Exploiting The (MySQL) Blind SQL Injection:
The GET variavle 'view' in archive madule can be used for hacking process.
Check URI 'example.com/archive.php?view=***'; SQL query can be placed
at '***'.
The users password is stored in `xcms_members` table. For extracting
password of 'Admin'
we could use following SQL injection vector:
?view=17' AND EXISTS
make password of default admin account similar to password of first admin
(during installation process). Because if default admin account will be
enabled later (with empty password) and will forget to set new password,
than it'll be much worse.
I'm not using Vista, so I can't check this issue on any of my computers. And
I want to check it by myself - is there such issue on Vista or not. For this
I'm planning to check one notebook of my friend (with Vista). But for more
than two weeks I couldn't meet with him and take his notebook. I quickly
checked two Asus notebook of my friends (as I wrote already to bugtraq), but
there is some delay with this Acer notebook with Vista. If in near time I'll
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
"saveForwardAttachments" validation routine is called.
This routine involves some security checks to handle uploaded files, it
does blacklist extension checking and if a bad extension is detected the
txt extension is appended to the file-name.
The following is the specific section:
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
>
> I'm not using Vista, so I can't check this issue on any of my
> computers. And
> I want to check it by myself - is there such issue on Vista or not.
> For this
> I'm planning to check one notebook of my friend (with Vista). But for
> more
ingstop
6. Change directory to the patch directory:
cd patchXXXXX
7. Within the patch directory run the following command:
./utility/iiinstaller
Please check the $II_SYSTEM/ingres/files/patch.log file to
make sure the patch was applied successfully. Also check the
$II_SYSTEM/ingres/version.rel to make sure the patch is
referenced.
Note: The patch can also be installed silently using the ‘-m'
flag with iiinstaller:
On Fri, 8 Aug 2008, Dave Korn wrote:
| > Isn't this a good argument for blacklisting the keys on the client
| > side?
|
| Isn't that exactly what "Browsers must check CRLs" means in this
| context anyway? What alternative client-side blacklisting mechanism
| do you suggest?
Since the list of bad keys is known and fairly short, one could
explicitly check for them in the browser code, without reference to
any external CRL.
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-18
Last Updated: 2008-08-18
Potential Security Impact: Please check the table below
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin.
Next Page>>
|
