####################################################################### Luigi Auriemma Application: ASG-Sentry http://www.asg-sentry.com Versions: <= 7.0.0 Platforms: Windows and Unix Bugs: A] arbitrary files deleting B] heap-overflow in FxAgent C] termination of FxIAList D] buffer-overflow in FxIAList Exploitation: remote Date: 10 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "The ASG-Sentry family of products is a suite of tools strategically engineered to control, monitor, manage, and enhance your network. Sentry's tools provide you with full visibility to your network from any Web browser. Sentry also allows you to fully instrument your company's applications, CPUs, disk space, memory, files, Windows and UNIX platforms, and more." ####################################################################### ======= 2) Bugs ======= --------------------------- A] arbitrary files deleting --------------------------- The fcheck.exe (File Check Utility) CGI available in ASG is used for handling some index files which contain a list of filenames and checksums. The -b option of this utility allows the creation of these index files and is possible to specify both the name of the output file and, optionally, the folder which will be scanned recursively for finding and reading the various files to add to the list. The first vulnerability is in the possibility for an external attacker to use this CGI for overwriting existent files with no data (specifying a new folder which will be created by the same program) or with the list of filenames described before. Naturally is possible to specify both files on the local disks or on network shares. The second effect instead is the possibility of occupying CPU and disk for the scanning of any file in the disk simply specyfing, for example, c:\ as folder. --------------------------- B] heap-overflow in FxAgent --------------------------- The FxAgent process running on UDP port 6161 is used for handling the various SNMP requests. A community field longer than 64 bytes can be used by an attacker to exploit a heap-overflow. -------------------------- C] termination of FxIAList -------------------------- FxIAList is a service which runs on the TCP port 6162 and is used for the logging operations which include the commands "exit", "trace on" "verbose", "trace off" and the name of the log file to create (xxxx.xx.xx) and its content. The main problem is that the server doesn't require authentication so anyone can send the "exit" command and the service will just terminate. ------------------------------ D] buffer-overflow in FxIAList ------------------------------ The same service described before is affected also by a stack based buffer-overflow which happens during the copying of the data we want to write to the log file (max 1023 bytes) in a buffer of only 500. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/asgulo.zip A] http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\ http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt this link for the network share is correct because Apache converts any backslash to double so that one becomes \\host\\document.txt B] nc SERVER 6161 -v -v -u < asgulo_fxagent.txt C] nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt D] nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt ####################################################################### ====== 4) Fix ====== No fix #######################################################################