Multiple Vulnerabilities in PatchLink Update Server 6

2006.07.11
Risk: High
Local: No
Remote: Yes
CWE: N/A

------------------------------------------------------------- PatchLink Update Server 6 SQL Injection ------------------------------------------------------------- Severity: Critical Date: June 28, 2006 Class: Remote Status: Patch Available Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com) ------------------------------------------------------------- Synopsis ===== Novacoast has discovered a vulnerability in the PatchLink Update Server (PLUS). This could allow the attacker to execute sql statements in the PatchLink database as DBO. Background ====== PatchLink Update* is the core product of the leading patch and vulnerability management solution for medium and large enterprise networks. Discussion ====== There is an SQL injection vulnerability in the checkprofile.asp script. This unauthenticated script uses posted variables in an SQL call, which can be exploited. An unchecked, posted variable (agentid) is used to create an SQL statement. The statement is run as ?PLUS ANONYMOUS? (who is a member of PLUS ADMINS, and the PLUS ADMINS group is dbo on the PLUS database) was the inserting user. Thus the database can be manipulated as DBO via this attack. Affected Version ========= PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1 Novell ZENworks Patch Management 6.2. SR1 Exploit ==== None required. The example exploit given here will write the string ?something? into the ReportErrors table: http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT %20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20('something')-- Recommended Solution ============= Apply Vendor Patch PatchLink: PatchLink Update Server (PLUS) for 6.2 SR1 P1 PatchLink Update Server (PLUS) for 6.1 P1 Novell: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm Disclaimer ====== Novacoast accepts no liability or responsibility for the content of this report, or for the consequences of any actions taken on the basis of the information provided within. Dissemination of this information is granted provided it is presented in its entirety. Modifications may not be made without the explicit permission of Novacoast. ------------------------------------------------------------- PatchLink Update Server 6 PDP Anonymous Access ------------------------------------------------------------- Severity: Medium Date: June 28, 2006 Class: Remote Status: Patch Available Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com) ------------------------------------------------------------- Synopsis ===== Novacoast has discovered a vulnerability in the PatchLink Update Server (PLUS) Distribution Point Server Listing for PatchLink's FastPatch application. Exploitation of this vulnerability could allow the attacker to proxy requests by PatchLink Update Agents for patches, and thus possibly inject arbitrary packages into the PatchLink environment. Background ====== PatchLink Update* is the core product of the leading patch and vulnerability management solution for medium and large enterprise networks. PatchLink Distribution Point and FastPatch technology provide intelligent distribution across the entire enterprise minimizing deployment speeds and bandwidth utilization across the wide area network. Discussion ====== The asp page ?proxyreg.asp? does not properly authenticate credentials when accessed. The ?proxyreg.asp? page appears to be used by the PatchLink FastPatch software, which allows roaming PatchLink agents to identify proxy servers on their network and connect to the closest or fastest PatchLink Distribution Point (PDP) automatically. The asp page returns a list of PDP servers in the organizations environment. An unauthenticated user can list, add, and remove PDP servers from this list. This vulnerability would only affect organizations that use the FastPatch add-on product. Organizations that use SSL to protect their agent-to-PLUS communication will be unaffected by this attack. Affected Version ========= PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1 Novell ZENworks Patch Management 6.2. SR1 Exploit ==== None required. 1) To list all Proxy servers use: http://plus.company.org/dagent/proxyreg.asp?List= Use username/password of null/null for authentication. 2) To add a new Proxy server, use: http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1 337 3) To delete a Proxy server, use: http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org Recommended Solution ============= 1) Apply Vendor Patch PatchLink: PatchLink Update Server (PLUS) for 6.2 SR1 P1 PatchLink Update Server (PLUS) for 6.1 P1 Novell: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm 2) Workaround Deploy SSL certificate authentication to secure traffic between agents and PLUS. Disclaimer ====== Novacoast accepts no liability or responsibility for the content of this report, or for the consequences of any actions taken on the basis of the information provided within. Dissemination of this information is granted provided it is presented in its entirety. Modifications may not be made without the explicit permission of Novacoast. ------------------------------------------------------------- PatchLink Update Server 6 File Overwrite ------------------------------------------------------------- Severity: Medium Date: June 28, 2006 Class: Remote Status: Patch Available Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com) ------------------------------------------------------------- Synopsis ===== Novacoast has discovered a vulnerability in the PatchLink Update Server (PLUS). This could allow the attacker to write or overwrite files on the PLUS filesystem. Background ====== PatchLink Update* is the core product of the leading patch and vulnerability management solution for medium and large enterprise networks. Discussion ====== The application ?nwupload.asp? allows unauthenticated connections, and performs file writes for the requester as the user ?PLUS ANONYMOUS? (who is a member of "PLUS ADMINS" Windows group by default). No validation checks are performed to prevent directory traversal. The application nwupload.asp writes a file into directories defined by variables passed to the page, appended to a registry key value. By default, on a Windows 2003 server, the registry key points to: ?C:Program FilesPatchlinkUpdate ServerStorage?. Since directory traversals are not checked for, it is possible to write to any folder on the PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access to. Affected Version ========= PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1 Novell ZENworks Patch Management 6.2. SR1 Exploit ==== None required. 1) An attacker can run: http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data= thisiscool&index=1 This will first delete the folder at: {regkey for storage directory}onetwo then create the directory: {regkey for storage directory}onetwo then write the file: {regkey for storage directory}onetwo1.txt The file 1.txt will have the contents of the "data" variable. Recommended Solution ============= Apply Vendor Patch PatchLink: PatchLink Update Server (PLUS) for 6.2 SR1 P1 PatchLink Update Server (PLUS) for 6.1 P1 Novell: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm Disclaimer ====== Novacoast accepts no liability or responsibility for the content of this report, or for the consequences of any actions taken on the basis of the information provided within. Dissemination of this information is granted provided it is presented in its entirety. Modifications may not be made without the explicit permission of Novacoast.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top