Safend Data Protector 3.4.5586.9772 Multiple Vulnerabilities

2012-11-29 / 2012-11-30
Risk: High
Local: Yes
Remote: No
CWE: N/A

Safend Data Protector Multiple Vulnerabilities (Client software) 3.4.5586.9772: Advisory Link: http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html Details CVE number: CVE-2012-4767 The private key data is in the ecuritylayer.log file in a directory called "logs.9772". This key could potentially be used to decrypt communications between the client and server and ultimately affect the security policies applied to the machine. Impact An attacker may be able to decrypt and potentially change the Safend security policies applied to the machine. Advisory Link: http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html Details CVE number: CVE-2012-4760 The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command: C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:) READ_CONTROL WRITE_DAC SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES NT AUTHORITY\SYSTEM:F BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F Impact An attacker may be able to elevate privileges to local administrator level. Advisory Link: http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-priv-esc.html Details CVE number: CVE-2012-4760 The SDPagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command: C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe BUILTIN\Users:(special access:) READ_CONTROL WRITE_DAC SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES Impact An attacker may be able to elevate privileges to local administrator level. Advisory Link: http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path-priv-esc.html Details CVE number: CVE-2012-4761 The SDBAgent Windows service path has spaces in the path and is not quoted: C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe Instead of: "C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe" This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file. Impact An attacker may be able to elevate privileges to local system level. Advisory Link: http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html Details CVE number: CVE-2012-4761 The SDPAgent Windows service path has spaces in the path and is not quoted: C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe Instead of: "C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe" This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file. Impact An attacker may be able to elevate privileges to local system level. Best regards, Joe Joseph Sheridan Director CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP Tel: 07812052515 Web: www.reactionis.co.uk

References:

http://www.reactionis.co.uk
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path-priv-esc.html
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top