NAI Net Tools PKI Server Directory Traversal Vulnerability
BID:1537
Info
NAI Net Tools PKI Server Directory Traversal Vulnerability
| Bugtraq ID: | 1537 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 02 2000 12:00AM |
| Updated: | Aug 02 2000 12:00AM |
| Credit: | This vulnerability was discovered and detailed in an advisory (attached beneath) by CORE SDI, in particular by Juliano Rizzo <[email protected]>. Disclaimer: CORE SDI serve as SecurityFocus.com's network security auditors. SecurityFocus.com was in n |
| Vulnerable: |
Network Associates Net Tools PKI Server 1.0 Hotfix2 Network Associates Net Tools PKI Server 1.0 Hotfix1 Network Associates Net Tools PKI Server 1.0 |
| Not Vulnerable: | |
Discussion
NAI Net Tools PKI Server Directory Traversal Vulnerability
Certain versions of Network Associates Inc.'s Net Tools PKI (Public Key Infrastructure) server ship with a vulnerability which allows remote attackers to read any file in the system which the PKI server resides. The problem lies within the webserver component of the PKI server (strong.exe) which operates several 'virtual servers' required to operate the PKI server. The first is the Administrative Web Server which listens via TCP port 443, the second is Enrollment Web Server which listens on TCP port 444. Unlike the Administrative Web Server the Enrollment Web Server does not require credentials to be exchanged before a user can talk to the webserver. It is via this virtual server that an attacker can exploit the problem at hand.
The problem in particular is a failure on behalf of the web server to enforce a web root directory. Therefore, a user may walk the entire directory tree of the target host and view files of which they know the locations. Autoexec.bat for example, backup SAM files etc.
By default the enrollment server uses \Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server as the Web Root directory. In a properly written webserver a user should only be able to move forward in the tree not backward.
Certain versions of Network Associates Inc.'s Net Tools PKI (Public Key Infrastructure) server ship with a vulnerability which allows remote attackers to read any file in the system which the PKI server resides. The problem lies within the webserver component of the PKI server (strong.exe) which operates several 'virtual servers' required to operate the PKI server. The first is the Administrative Web Server which listens via TCP port 443, the second is Enrollment Web Server which listens on TCP port 444. Unlike the Administrative Web Server the Enrollment Web Server does not require credentials to be exchanged before a user can talk to the webserver. It is via this virtual server that an attacker can exploit the problem at hand.
The problem in particular is a failure on behalf of the web server to enforce a web root directory. Therefore, a user may walk the entire directory tree of the target host and view files of which they know the locations. Autoexec.bat for example, backup SAM files etc.
By default the enrollment server uses \Program Files\Network Associates\Net Tools PKI Server\WebServer\enroll-server as the Web Root directory. In a properly written webserver a user should only be able to move forward in the tree not backward.
Exploit / POC
NAI Net Tools PKI Server Directory Traversal Vulnerability
As detailed in the CORE SDI advisory on this issue:
https://host:444/..\..\..\..\..\autoexec.bat
As detailed in the CORE SDI advisory on this issue:
https://host:444/..\..\..\..\..\autoexec.bat
Solution / Fix
NAI Net Tools PKI Server Directory Traversal Vulnerability
Solution:
Network Associates has released a fix for this problem. Furthermore CORE SDI has detailed a way to check if this exploit has been attempted against your installation, as per the CORE SDI advisory (attached in full in the 'Credit' section):
To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries containing "..\" within them. Each log entry can then be examined to see the IP address of the computer that submitted the request.
Network Associates Net Tools PKI Server 1.0
Network Associates Net Tools PKI Server 1.0 Hotfix1
Network Associates Net Tools PKI Server 1.0 Hotfix2
Solution:
Network Associates has released a fix for this problem. Furthermore CORE SDI has detailed a way to check if this exploit has been attempted against your installation, as per the CORE SDI advisory (attached in full in the 'Credit' section):
To determine whether anyone has attempted to exploit this vulnerability, check the enroll-access.log and the admin-access.log files in the WebServer/logs directory of your Net Tools PKI Server installation. Search for any log entries containing "..\" within them. Each log entry can then be examined to see the IP address of the computer that submitted the request.
Network Associates Net Tools PKI Server 1.0
-
Network Associates Hotfix 3
http://www.nai.com/asp_set/download/upgrade/find.asp
Network Associates Net Tools PKI Server 1.0 Hotfix1
-
Network Associates Hotfix 3
http://www.nai.com/asp_set/download/upgrade/find.asp
Network Associates Net Tools PKI Server 1.0 Hotfix2
-
Network Associates Hotfix 3
http://www.nai.com/asp_set/download/upgrade/find.asp
References
NAI Net Tools PKI Server Directory Traversal Vulnerability
References:
References:
- CORE SDI Homepage (CORE)
- Net Tools PKI Product Homepage (Network Associates Inc.)
- Release Notes for Net Tools PKI Server Version 1.0 for Windows NT HotFix 1 (Network Associates Inc.)