DISPLAY_NAME : Cisco Systems, Inc. VPN Service
DEPENDENCIES : TCPIP
SERVICE_START_NAME : LocalSystem
Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by
NT AUTHORITY\INTERACTIVE:C in the cacls output below.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
>
> Therefore, setting the directory permission to 0700 protects from hardlink
> creation (read that again!) and this bug in the /proc filesystem
> indeed lead to a
> change in access control semantics. Under POSIX, the file IS unwriteable,
> because it is protected by the permissions on the parent directory.
>
> (2) While it's irrelevant for his argument, the script by Pavel Machek has a
> race condition. The 'chmod 700 /tmp/my_priv' should be done before the
> file is created, not
> afterwards. Otherwise there is a window where the file exists, but hardlink
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number; /* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;
Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.
SOLUTION
========
Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
Summary
It is possible for an admin user to upload a file to the filestorage's
parent directory. Under default conditions, this directory is
bytehoard's document root, and world writable.
Impact
-----------------------------------------
A] partial directory traversal on Windows
-----------------------------------------
Using 3 dots in the HTTP query is possible to get a specific file in
the parent directory of the Firefly admin-root folder.
That means that an attacker can download the mt-daapd.conf file which
contains all the configuration of the server or other files like
firefly.log and so on.
If the server is protected by password is enough to use the bug B below
