[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Safend Data Protector Multiple Vulnerabilities
- To: "'full-disclosure'" <full-disclosure@xxxxxxxxxxxxxxxxx>, "'bugtraq'" <bugtraq@xxxxxxxxxxxxxxxxx>, <secalert@xxxxxxxxxxxxxxxxxx>, <bugs@xxxxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>, <moderators@xxxxxxxxx>, <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <submit@xxxxxxxxxxxxxx>, <first-bulletins@xxxxxxxxxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>
- Subject: Safend Data Protector Multiple Vulnerabilities
- From: "Joseph Sheridan" <joe@xxxxxxxxxxxxxx>
- Date: Thu, 29 Nov 2012 15:38:29 -0000
Safend Data Protector Multiple Vulnerabilities (Client software) 3.4.5586.9772:
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html
Details
CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory called
"logs.9772". This key could potentially be used to decrypt communications
between the client and server and ultimately affect the security policies
applied to the machine.
Impact
An attacker may be able to decrypt and potentially change the Safend security
policies applied to the machine.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html
Details
CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The
WRITE_DAC privilege would allow a local user to rewrite the acl and give
himself full control of the file which could then be trojaned to gain full
local admin privileges. The following is the output from the cacls command:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe
BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Impact
An attacker may be able to elevate privileges to local administrator level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-priv-esc.html
Details
CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. The
WRITE_DAC privilege would allow a local user to rewrite the acl and give
himself full control of the file which could then be trojaned to gain full
local admin privileges. The following is the output from the cacls command:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe
BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
Impact
An attacker may be able to elevate privileges to local administrator level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path-priv-esc.html
Details
CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"
This could allow a user with write access to the c: drive to create a malicious
C:\program.exe file (or even "c:\program files\safend\data.exe") which would be
run in place of the intended file.
Impact
An attacker may be able to elevate privileges to local system level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html
Details
CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not quoted:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"
This could allow a user with write access to the c: drive to create a malicious
C:\program.exe file (or even "c:\program files\safend\data.exe") which would be
run in place of the intended file.
Impact
An attacker may be able to elevate privileges to local system level.
Best regards,
Joe
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk
Email: joe@xxxxxxxxxxxxxxxx
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
This email and any files transmitted with it are confidential and are intended
solely for the use of the individual to whom they are addressed. If you are not
the intended recipient please notify the sender. Any unauthorised dissemination
or copying of this email or its attachments and any use or disclosure of any
information contained in them, is strictly prohibited.
Please consider the environment before printing this email