[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Safend Data Protector Multiple Vulnerabilities
From: "Joseph Sheridan" <joe () reactionis ! com>
Date: 2012-11-29 15:38:29
Message-ID: 0c2501cdce47$95ebc970$c1c35c50$ () reactionis ! com
[Download RAW message or body]
Safend Data Protector Multiple Vulnerabilities (Client software) 3.4.5586.9772:
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html
Details
CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory called "logs.9772". This \
key could potentially be used to decrypt communications between the client and server and \
ultimately affect the security policies applied to the machine. Impact
An attacker may be able to decrypt and potentially change the Safend security policies applied \
to the machine.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html
Details
CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC \
privilege would allow a local user to rewrite the acl and give himself full control of the file \
which could then be trojaned to gain full local admin privileges. The following is the output \
from the cacls command:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Impact
An attacker may be able to elevate privileges to local administrator level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-priv-esc.html
Details
CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC \
privilege would allow a local user to rewrite the acl and give himself full control of the file \
which could then be trojaned to gain full local admin privileges. The following is the output \
from the cacls command:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
Impact
An attacker may be able to elevate privileges to local administrator level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path-priv-esc.html
Details
CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"
This could allow a user with write access to the c: drive to create a malicious C:\program.exe \
file (or even "c:\program files\safend\data.exe") which would be run in place of the intended \
file. Impact
An attacker may be able to elevate privileges to local system level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html
Details
CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"
This could allow a user with write access to the c: drive to create a malicious C:\program.exe \
file (or even "c:\program files\safend\data.exe") which would be run in place of the intended \
file. Impact
An attacker may be able to elevate privileges to local system level.
Best regards,
Joe
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk
Email: joe@reactionis.co.uk
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
This email and any files transmitted with it are confidential and are intended solely for the \
use of the individual to whom they are addressed. If you are not the intended recipient please \
notify the sender. Any unauthorised dissemination or copying of this email or its attachments \
and any use or disclosure of any information contained in them, is strictly prohibited.
Please consider the environment before printing this email
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic