Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities
scip AG Vulnerability ID 2555 (09/21/2006)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555
I. INTRODUCTION
Sun Secure Global Desktop (SSGD, formerly known as Tarantella[1]) is an
open-source remote desktop solution with a basic amount of security.
More information is available at the official product demo web site at
the following URL:
https://sgddemo.sun.com/
II. DESCRIPTION
Marc Ruef at scip AG found six undisclosed web-based vulnerabilities in
Sun Secure Global Desktop prior 4.3. These can be divided into two classes:
1. Cross site scripting
Some scripts that are not protected by any authentication procedure can
be used to run arbitrary script code within a cross site scripting attack.
2. Revealing of sensitive information
Some scripts that are not protected by any authentication procedure can
be accessed to reveal sensitive information (e.g. internal hostnames,
applied software version, details about settings) about the target host.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities.
A plugin for the open-source exploiting framework "Attack Tool Kit"
(ATK) will be published in the near future. [2]
We are not going to publish any further technical details or an exploit
suite due to Sun has not published any patches as far as we know. See
vendor response and disclosure timeline for further details.
IV. IMPACT
Because non-authenticated parts of the software are affected, this
vulnerabilities are serious for every secure environment.
Non-authenticated users might be able to exploit the flaws to gain
elevated privileges (e.g. extracting sensitive cookie information or
launch a buffer overflow attack against another web browser).
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement.
VI. SOLUTION
We have informed sun on a very early stage. They said that the problems
will be addressed with a bugfix for the currently shipping version 4.2
and will no longer be existing in the upcoming version 4.3. We were told
that the public release for the patch is at the end of August 2006. Due
to no public release was made and our last emails were not answered, we
do not know what kind of official solution is available. This is why we
are not going to publish any technical details or exploits at the
moment. De-activate the following scripts to gain a higher level of
security:
- ttaarchives.cgi
- ttaAuthentication.jsp
- ttalicense.cgi
- ttawlogin.cgi
- ttawebtop.cgi
- ttaabout.cgi
- test-cgi
VII. VENDOR RESPONSE
Sun Microsystems Inc. has been informed a first time at 07/04/2006 via
email to contactus-at-sun.com. Because no reply came back we decided to
send a forwarding at 07/18/2006 to security-alert-at-sun.com. A first
response came back on the same day. Several email messages were
exchanged to discuss the vulnerabilities and to co-ordinate the
disclosure of this advisory. However, the last emails since 09/15/2006
have not been answered.
VIII. SOURCES
scip AG - Security Consulting Information Process (german)
http://www.scip.ch
scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555
computec.ch document data base (german)
http://www.computec.ch/download.php?list.26
IX. DISCLOSURE TIMELINE
06/06/06 Identification of the vulnerabilities
07/04/06 First information to contactus-at-sun.com
07/18/06 Second information to security-alert-at-sun.com
09/15/06 Sending the last email which is still unanswered
09/21/06 Public disclosure of this advisory
IX. CREDITS
The vulnerabilities were discovered by Marc Ruef.
Marc Ruef, scip AG, Zuerich, Switzerland
maru-at-scip.ch
http://www.scip.ch
A1. BIBLIOGRAPHY
[1] http://news.com.com/Sun+to+buy+Tarantella/2100-1012_3-5701487.html
[2] http://www.computec.ch/projekte/atk/
A2. LEGAL NOTICES
Copyright (c) 2006 scip AG, Switzerland.
Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.