[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Safend Data Protector Multiple Vulnerabilities
From:       "Joseph Sheridan" <joe () reactionis ! com>
Date:       2012-11-29 15:38:29
Message-ID: 0c2501cdce47$95ebc970$c1c35c50$ () reactionis ! com
[Download RAW message or body]

Safend Data Protector Multiple Vulnerabilities (Client software) 3.4.5586.9772:

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html

Details
CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory called "logs.9772". This \
key could potentially be used to decrypt communications between the client and server and \
ultimately affect the security policies applied to the machine. Impact

An attacker may be able to decrypt and potentially change the Safend security policies applied \
to the machine.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html

Details
CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC \
privilege would allow a local user to rewrite the acl and give himself full control of the file \
which could then be trojaned to gain full local admin privileges. The following is the output \
from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Impact

An attacker may be able to elevate privileges to local administrator level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-priv-esc.html


Details
CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC \
privilege would allow a local user to rewrite the acl and give himself full control of the file \
which could then be trojaned to gain full local admin privileges. The following is the output \
from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

Impact

An attacker may be able to elevate privileges to local administrator level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path-priv-esc.html

Details
CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe \
file (or even "c:\program files\safend\data.exe") which would be run in place of the intended \
file. Impact

An attacker may be able to elevate privileges to local system level.

Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html 

Details
CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe \
file (or even "c:\program files\safend\data.exe") which would be run in place of the intended \
file. Impact

An attacker may be able to elevate privileges to local system level.



Best regards,

Joe


Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk 
Email: joe@reactionis.co.uk

Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
 
This email and any files transmitted with it are confidential and are intended solely for the \
use of the individual to whom they are addressed. If you are not the intended recipient please \
notify the sender. Any unauthorised dissemination or copying of this email or its attachments \
and any use or disclosure of any information contained in them, is strictly prohibited.

 Please consider the environment before printing this email



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]