Re: Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0



Hello everyone, was the server rebooted after the patch was installed?

I just setup a SafeNet Sentinel Protection Server SafeNet Sentinel Keys Server 7.4 and the exploit worked.

Once I isntalled the patch, and rebooted, when I try to run the exploit the server repsonds with "The Page Cannot be Displayed"

Take Care --John

-------------- Original message ----------------------
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>

#######################################################################

Luigi Auriemma

Application: SafeNet Sentinel Protection Server
SafeNet Sentinel Keys Server
http://www.safenet-inc.com
Versions: <= 7.4.1.0 (aka SPI740SecurityPatch)
Platforms: Windows
Bug: directory traversal
Exploitation: remote
Date: 10 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Sentinel Protection and Key Server are two simple webservers for
the monitoring of the licenses and listen respectively on ports 6002
and 7002.


#######################################################################

======
2) Bug
======


Both the webservers are affected by a directory traversal
vulnerability exploitable using the backslash delimiter (the servers
don't support hex chars) allowing an attacker to download any file in
the disk on which the services are installed.

It's funny to note that the security patch available from November 2007
was released just to fix a directory traversal vulnerability but they
dropped only the slash delimiter leaving the backslash working.


#######################################################################

===========
3) The Code
===========


GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org



Relevant Pages

  • Re: Immediate Logoff
    ... What I am saying is that there is no magic button that MSFT can push to fix the problem unless you can give them some information, ... Microsoft MVP - Terminal Server ... however think it is ironic how it happened from a patch. ... Do you know where I can report this to Microsoft for free? ...
    (microsoft.public.windows.terminal_services)
  • Re: problems with KB951746
    ... Browsing from the server directly through the external NIC. ... the fix installed in production....so how have you done the testing you've ... I doubt the patch, or SBS, is the problem here. ... If your firewall is not configured to allow DNS traffic ...
    (microsoft.public.windows.server.sbs)
  • RE: [Full-Disclosure] SSH Exploit Request
    ... A service is flawed in one way or another, patch it! ... If the vendor says the ... downtime of a server reboot", then think of it this way, with services such ... > vulnerable boxes, and a fix to install, and the fix isn't ...
    (Full-Disclosure)
  • Re: Why is smpatch so flakey?
    ... > proxy patch server. ... Problem is, the few times I've opened a ticket about smpatch with Sun, I've ... who could fix it. ... Patch Pro, either), they're out with Update Manager. ...
    (comp.unix.solaris)
  • Re: 5.3-RELEASE: WARNING - WRITE_DMA interrupt timout
    ... My problem is not related to a SATA controller. ... Everything works pretty well on this server. ... the qmail MTA, an otherwise pretty powerful email program. ... I'm going to apply a patch to qmail in a few days. ...
    (freebsd-current)