BitDefender Update Server - Unauthorized Remote File Access Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: BitDefender Update Server - Unauthorized Remote File Access Vulnerability
From: "oliver karow" <oliver.karow@xxxxxx>
Date: Sat, 19 Jan 2008 12:41:58 +0100
Cc: "oliver karow" <oliver.karow@xxxxxx>, <security@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

BitDefender Update Server - Unauthorized Remote File Access Vulnerability
====================================================

* Affected Products:
 - BitDefender Security for Fileservers
 - BitDefender Enterprise Manager (BDEM)
 - All BitDefender Products, using their internal update server product

* Discovered by: Oliver Karow 
    
http://oliver.greyhat.de/2008/01/19/bitdefender-unauthorized-remote-file-access-vulnerability/

* Vulnerable platform: Windows

* Vulnerable Version: N/A

Product/Company-Information:
=====================

- From Bitdefender's web site: 

"BitDefenderT provides security solutions to satisfy the protection 
requirements of today's computing environment, delivering effective threat 
management for over 41 million home and corporate users in more than 100 
countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, 
Romania and has offices in Tettnang, Germany, Barcelona, Spain and Fort 
Lauderdale (FL), USA. 

.....The Update Server allows you to set up an upgrade location within your 
local network. This way you needn't worry about updating the products installed 
on computers that are not connected to the Internet, achieving, at the same 
time, faster updates and reduced
Internet traffic. The BitDefender Update Server is easy to configure through an 
intuitive step by step wizard. It will help you get the latest updates for all 
BitDefender products."

Vulnerability / Exploit
===============

The Update Server, which is part of several of BitDefender's Enterprise 
products, is running an Http-Daemon. The http.exe process is running with 
localsystem privileges and is vulnerable to the plain old directory traversal 
vulnerability. Thus it is possible to access files outside of the applications 
root directory with the named privileges.

To exploit simply do an 

    echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>

or use your webbrowser :)

History:
======
* Date of Discovery: 07. Dec. 2007
* Mail to vendor: 16. Jan. 2008; security@xxxxxxxxxxxxxxx
* Response from Vendor: 18. Jan. 2008; Requesting me to open an account to get 
access to BitDefender's Support :)
* Advisory Release: 19. Jan. 2008

Prev by Date: [SECURITY] [DSA 1467-1] New mantis packages fix several vulnerabilities
Next by Date: [USN-571-2] X.org regression
Previous by thread: [SECURITY] [DSA 1467-1] New mantis packages fix several vulnerabilities
Next by thread: [USN-571-2] X.org regression
Index(es):
- Date
- Thread