exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Safend Data Protector 3.4.5586.9772 Privilege Escalation

Safend Data Protector 3.4.5586.9772 Privilege Escalation
Posted Nov 30, 2012
Authored by Joseph Sheridan | Site reactionpenetrationtesting.co.uk

Safend Data Protector suffers from multiple privilege escalation vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2012-4767, CVE-2012-4760, CVE-2012-4760, CVE-2012-4761, CVE-2012-4761
SHA-256 | 7fa4ab53d92dfd88c732eb79417967adbe52865b5df1b66c86b093a3abbc15b9

Safend Data Protector 3.4.5586.9772 Privilege Escalation

Change Mirror Download
Safend Data Protector Multiple Vulnerabilities (Client software) 3.4.5586.9772:

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html

Details
CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory called "logs.9772". This key could potentially be used to decrypt communications between the client and server and ultimately affect the security policies applied to the machine.
Impact

An attacker may be able to decrypt and potentially change the Safend security policies applied to the machine.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html

Details
CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Impact

An attacker may be able to elevate privileges to local administrator level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-priv-esc.html


Details
CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

Impact

An attacker may be able to elevate privileges to local administrator level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path-priv-esc.html

Details
CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file.
Impact

An attacker may be able to elevate privileges to local system level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html

Details
CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file.
Impact

An attacker may be able to elevate privileges to local system level.



Best regards,

Joe


Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk
Email: joe@reactionis.co.uk

Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ

This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited.

 Please consider the environment before printing this email


Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close