CVE-2012-4760

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2012-4760 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The information has been provided by Joe.

The original article can be found at: http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.html
The original article can be found at: http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-priv-esc.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2012-4760

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Safend Data Protector (Client software) 3.4.5586.9772

CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory called "logs.9772". This key could potentially be used to decrypt communications between the client and server and ultimately affect the security policies applied to the machine. An attacker may be able to decrypt and potentially change the Safend security policies applied to the machine.

CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

An attacker may be able to elevate privileges to local administrator level.

CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. The WRITE_DAC privilege would allow a local user to rewrite the acl and give himself full control of the file which could then be trojaned to gain full local admin privileges. The following is the output from the cacls command:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe BUILTIN\Users:(special access:)

READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

An attacker may be able to elevate privileges to local administrator level.

CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file. An attacker may be able to elevate privileges to local system level.

CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file. An attacker may be able to elevate privileges to local system level.

CVE Information:
CVE-2012-4767
CVE-2012-4760
CVE-2012-4761

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus