|
|
|
|
| |
Netscape (iPlanet) Certificate Management System, Netscape Directory Server and Netscape Administration Servers share components that suffer from two notable vulnerabilities: a path traversal vulnerability, which enables attackers to access files outside the web root directory, and clear-text password storage that saves administrative password in clear text files.
The combination of these two vulnerabilities completely compromises the server's administrative password, and thus the entire product security system. |
| |
Credit:
The information has been provided by Iv?n Arce.
|
| |
Vulnerable Packages/Systems:
Netscape Certificate Management System 4.2 (MS Windows NT 4.0 version)
Netscape Directory Server 4.12 (MS windows NT 4.0 version)
1. Path Traversal Vulnerability
The first vulnerability is a classic path traversal vulnerability whereby a user can supply a crafted URL and access files outside the web root directory. This will result in the remote user being able to read/download any files that the server itself (based on it's permissions) may access.
2. Administrator password is stored in clear text
The 'Admin' password for these packages is stored in plaintext in admin-serv\config\adm.conf. This in addition to the previous vulnerability will allow anyone to obtain the password remotely and perform admin duties if net access to the admin server is available
Solution/Vendor Information/Workaround:
Contact the vendor for a fix. Patches for IPlanet products can be obtained from:
http://www.iplanet.com/downloads/patches.index.html
Technical Description - Exploit/Concept Code:
Several components installed by CMS 4.2 for Windows NT 4.0 allow an attacker to read/download any file outside the web root directory if access to any of the following servers is given:
- The Agent services server on port 8100/tcp
- The End Entity services server on port 443/tcp (This is normally accessible for any user over SSL)
- The Administrator services server listening on a random port chosen during the installation process, or on port 8200 if configured to do so (not the default behavior).
By using '\../' in the URI an attacker can get out of the server's root directory and open any file. The following example demonstrates the problem using the End Entity services server:
A request for https://www.example.com/ca/\../\../\../\../\../\win.ini will open and display the requested file.
Admin password is stored in plaintext in admin-serv\config\adm.conf. This in addition to the previous bug will allow anyone to obtain the password remotely and perform admin duties if net access to the admin server is available.
|
|
|
|
|
|
|
|
|
|
