[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability Report For iPlanet CMS and Netscape Directory Server

Title: Vulnerability Report For iPlanet CMS and Netscape Directory Server
Released by: CORE SDI
Date: 26th October 2000
Printable version: Click here
                              CORE SDI

                        http://www.core-sdi.com



  Vulnerability Report For iPlanet CMS and Netscape Directory Server



Date Published: 2000-10-26



Advisory ID: CORE-2000-10-26



Bugtraq ID: 1839



CVE CAN: Non currently assigned.



Title: Path traversal and administrator password in clear text

vulnerabilities



Class: Access Validation Error/Design Error



Remotely Exploitable: Yes



Locally Exploitable: Yes



Vulnerability Description:



 Netscape (iPlanet) Certificate Management System, Netscape

 Directory Server and Netscape Administration Servers share components which

 suffer from two notable vulnerabilities.



1. Path Traversal Vulnerability



 The first vulnerability is a classic path traversal vulnerability

 whereby a user can supply a crafted URL and access files outside the web

root

 directory. This will result in the remote user being able to read/download

 any files which the server itself (based on it's permissions) may access.





2. Admininistrator password is stored in clear text



 The 'Admin' password for these packages is stored in plaintext in

 admin-serv\config\adm.conf. This in addition to the previous

 vulnerability will allow anyone to obtain the password remotely and

 perform admin duties if net access to the admin server is

 available



Vulnerable Packages/Systems:



  Netscape Certificate Management System 4.2 (MS Windows NT 4.0 version)

  Netscape Directopy Server 4.12 (MS windows NT 4.0 version)



Solution/Vendor Information/Workaround:





 Contact the vendor for a fix. Patches for IPlanet products

 can be obtained from

  http://www.iplanet.com/downloads/patches.index.html



 Additionally, advisories and information on security issues

 of these particular Netscape products can be obtained from:



 (iPlanet) Certificate Management System



        http://www.securityfocus.com/bid/676



 Netscape Directory Server



        http://www.securityfocus.com/bid/676





Vendor notified on: 10/02/2000



Credits:



 These vulnerabilities were found by Emiliano Kargieman and

 Agustin Kato Azubel from CORE SDI S.A., Buenos Aires, Argentina.



 This advisory was drafted with the help of the SecurityFocus.com

 Vulnerability Help Team. For more information or assistance drafting

advisories

 please mail vulnhelp@securityfocus.com.





Technical Description - Exploit/Concept Code:



 Several components installed by CMS 4.2 for Windows NT 4.0 allow an

attacker

 to read/download any file outside the web root directory provided that

access

  to any of the following servers is given:

 - The Agent services server on port 8100/tcp

 - The End Entity services server on port 443/tcp (This is normally

   accessable for any user over SSL)

 - The Administrator services server listening on a random port

   choosen during the installation process, or on port 8200 if

   configured to do so (not the default behavior).



   By using '\../' in the URI an attacker can get out

   of the server's root directory and open any file.

   The following example demostrates the problem using the

   End Entity services server:



   A request for https://server/ca/\../\../\../\../\../\win.ini will

   open and display the requested file





 . Admin password is stored in plantext in admin-serv\config\adm.conf.

   This in addition to the previous bug will allow anyone to obtain the

password

   remotely and perform admin duties if net access to the admin server is

   available.



DISCLAIMER:



 The contents of this advisory are copyright (c) 2000 CORE SDI S.A.

 and may be distributed freely provided that no fee is charged for this

 distribution and proper credit is given.



$Id: iPlanet-path-and-adminpw-advisory.txt,v 1.4 2000/10/26 20:55:58 iarce

Exp $



---



"Understanding. A cerebral secretion that enables one having it to know

 a house from a horse by the roof on the house,

 It's nature and laws have been exhaustively expounded by Locke,

 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce





==================[ CORE Seguridad de la Informacion S.A. ]=========

Iván Arce

Presidente

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

email   : iarce@core-sdi.com

http://www.core-sdi.com

Florida 141 2do cuerpo Piso 7

C1005AAG Buenos Aires, Argentina.

Tel/Fax : +(54-11) 4331-5402

=====================================================================











--- For a personal reply use iarce@core-sdi.com








(C) 1999-2000 All rights reserved.