[scip_Advisory 2555] Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, partners@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: [scip_Advisory 2555] Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities
From: Marc Ruef <maru@xxxxxxx>
Date: Thu, 21 Sep 2006 10:19:35 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.scip.ch
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities

scip AG Vulnerability ID 2555 (09/21/2006)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555

I. INTRODUCTION

Sun Secure Global Desktop (SSGD, formerly known as Tarantella[1]) is anopen-source remote desktop solution with a basic amount of security.

More information is available at the official product demo web site atthe following URL:


    https://sgddemo.sun.com/

II. DESCRIPTION

Marc Ruef at scip AG found six undisclosed web-based vulnerabilities inSun Secure Global Desktop prior 4.3. These can be divided into two classes:


1. Cross site scripting

Some scripts that are not protected by any authentication procedure canbe used to run arbitrary script code within a cross site scripting attack.


2. Revealing of sensitive information

Some scripts that are not protected by any authentication procedure canbe accessed to reveal sensitive information (e.g. internal hostnames,applied software version, details about settings) about the target host.


III. EXPLOITATION

Classic script injection techniques and unexpected input data within abrowser session can be used to exploit these vulnerabilities.

A plugin for the open-source exploiting framework "Attack Tool Kit"(ATK) will be published in the near future. [2]

We are not going to publish any further technical details or an exploitsuite due to Sun has not published any patches as far as we know. Seevendor response and disclosure timeline for further details.


IV. IMPACT

Because non-authenticated parts of the software are affected, thisvulnerabilities are serious for every secure environment.Non-authenticated users might be able to exploit the flaws to gainelevated privileges (e.g. extracting sensitive cookie information orlaunch a buffer overflow attack against another web browser).


V. DETECTION

Detection of web based attacks requires a specialized web proxy and/orintrusion detection system. Patterns for such a detection are availableand easy to implement.


VI. SOLUTION

We have informed sun on a very early stage. They said that the problemswill be addressed with a bugfix for the currently shipping version 4.2and will no longer be existing in the upcoming version 4.3. We were toldthat the public release for the patch is at the end of August 2006. Dueto no public release was made and our last emails were not answered, wedo not know what kind of official solution is available. This is why weare not going to publish any technical details or exploits at themoment. De-activate the following scripts to gain a higher level ofsecurity:


- ttaarchives.cgi
- ttaAuthentication.jsp
- ttalicense.cgi
- ttawlogin.cgi
- ttawebtop.cgi
- ttaabout.cgi
- test-cgi

VII. VENDOR RESPONSE

Sun Microsystems Inc. has been informed a first time at 07/04/2006 viaemail to contactus-at-sun.com. Because no reply came back we decided tosend a forwarding at 07/18/2006 to security-alert-at-sun.com. A firstresponse came back on the same day. Several email messages wereexchanged to discuss the vulnerabilities and to co-ordinate thedisclosure of this advisory. However, the last emails since 09/15/2006have not been answered.


VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555

computec.ch document data base (german)
http://www.computec.ch/download.php?list.26

IX. DISCLOSURE TIMELINE

06/06/06 Identification of the vulnerabilities
07/04/06 First information to contactus-at-sun.com
07/18/06 Second information to security-alert-at-sun.com
09/15/06 Sending the last email which is still unanswered
09/21/06 Public disclosure of this advisory

IX. CREDITS

The vulnerabilities were discovered by Marc Ruef.

    Marc Ruef, scip AG, Zuerich, Switzerland
    maru-at-scip.ch
    http://www.scip.ch

A1. BIBLIOGRAPHY

[1] http://news.com.com/Sun+to+buy+Tarantella/2100-1012_3-5701487.html
[2] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2006 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may notbe edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the timeof publishing based on currently available information. There are nowarranties with regard to this information. Neither the author nor thepublisher accepts any liability for any direct, indirect orconsequential loss or damage from use of or reliance on this advisory.

Prev by Date: [USN-350-1] Thunderbird vulnerabilities
Next by Date: Re: HitWeb v3.0 - Remote File Include Vulnerabilities
Previous by thread: [USN-350-1] Thunderbird vulnerabilities
Next by thread: [ MDKSA-2006:166 ] - Updated gnutls packages fixes PKCS signature verification issue.
Index(es):
- Date
- Thread