SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Sun Secure Global Desktop Vendors:   Sun
Sun Secure Global Desktop Input Validation Holes Permit Cross-Site Scripting Attacks and Disclose System Information to Remote Users
SecurityTracker Alert ID:  1016900
SecurityTracker URL:  http://securitytracker.com/id/1016900
CVE Reference:   CVE-2006-4959   (Links to External Site)
Updated:  Oct 3 2006
Original Entry Date:  Sep 21 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.3
Description:   Marc Ruef of scip AG reported several vulnerabilities in Sun Secure Global Desktop. A remote user can conduct cross-site scripting attacks. A remote user can obtain potentially sensitive information.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Sun Secure Global Desktop interface and will run in the security context of the system. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the system, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.

A remote user can also access certain scripts to obtain potentially sensitive information about the target system, such as internal hostnames, software version status, and configuration settings.

The following scripts are affected by the cross-site scripting and information disclosure vulnerabilities:

- ttaarchives.cgi
- ttaAuthentication.jsp
- ttalicense.cgi
- ttawlogin.cgi
- ttawebtop.cgi
- ttaabout.cgi
- test-cgi

The vendor was notified on July 4, 2006.

The original advisory is available at:

http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Sun Secure Global Desktop software, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.

A remote user can obtain potentially sensitive information about the target system, such as internal hostnames, software version status, and configuration settings.

Solution:   Sun has issued the following fixes, available at:

http://www.sun.com/download/products.xml?id=43321db9

SPARC Platform

* Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, 10) build 4.20.983 or later

x86 Platform

* Sun Secure Global Desktop Software 4.2 (for Solaris 10) build 4.20.983 or later

Linux Platform

* Sun Secure Global Desktop Software 4.2 build 4.20.983 or later

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102650-1

Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-102650-1 (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (SuSE), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Date:  Thu, 21 Sep 2006 10:19:35 +0200
Subject:  [scip_Advisory 2555] Sun Secure Global Desktop prior 4.3 multiple

Sun Secure Global Desktop prior 4.3 multiple remote vulnerabilities

scip AG Vulnerability ID 2555 (09/21/2006)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555

I. INTRODUCTION

Sun Secure Global Desktop (SSGD, formerly known as Tarantella[1]) is an 
open-source remote desktop solution with a basic amount of security.

More information is available at the official product demo web site at 
the following URL:

     https://sgddemo.sun.com/

II. DESCRIPTION

Marc Ruef at scip AG found six undisclosed web-based vulnerabilities in 
Sun Secure Global Desktop prior 4.3. These can be divided into two classes:

1. Cross site scripting

Some scripts that are not protected by any authentication procedure can 
be used to run arbitrary script code within a cross site scripting attack.

2. Revealing of sensitive information

Some scripts that are not protected by any authentication procedure can 
be accessed to reveal sensitive information (e.g. internal hostnames, 
applied software version, details about settings) about the target host.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a 
browser session can be used to exploit these vulnerabilities.

A plugin for the open-source exploiting framework "Attack Tool Kit" 
(ATK) will be published in the near future. [2]

We are not going to publish any further technical details or an exploit 
suite due to Sun has not published any patches as far as we know. See 
vendor response and disclosure timeline for further details.

IV. IMPACT

Because non-authenticated parts of the software are affected, this 
vulnerabilities are serious for every secure environment. 
Non-authenticated users might be able to exploit the flaws to gain 
elevated privileges (e.g. extracting sensitive cookie information or 
launch a buffer overflow attack against another web browser).

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or 
intrusion detection system. Patterns for such a detection are available 
and easy to implement.

VI. SOLUTION

We have informed sun on a very early stage. They said that the problems 
will be addressed with a bugfix for the currently shipping version 4.2 
and will no longer be existing in the upcoming version 4.3. We were told 
that the public release for the patch is at the end of August 2006. Due 
to no public release was made and our last emails were not answered, we 
do not know what kind of official solution is available. This is why we 
are not going to publish any technical details or exploits at the 
moment. De-activate the following scripts to gain a higher level of 
security:

- ttaarchives.cgi
- ttaAuthentication.jsp
- ttalicense.cgi
- ttawlogin.cgi
- ttawebtop.cgi
- ttaabout.cgi
- test-cgi

VII. VENDOR RESPONSE

Sun Microsystems Inc. has been informed a first time at 07/04/2006 via 
email to contactus-at-sun.com. Because no reply came back we decided to 
send a forwarding at 07/18/2006 to security-alert-at-sun.com. A first 
response came back on the same day. Several email messages were 
exchanged to discuss the vulnerabilities and to co-ordinate the 
disclosure of this advisory. However, the last emails since 09/15/2006 
have not been answered.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2555

computec.ch document data base (german)
http://www.computec.ch/download.php?list.26

IX. DISCLOSURE TIMELINE

06/06/06 Identification of the vulnerabilities
07/04/06 First information to contactus-at-sun.com
07/18/06 Second information to security-alert-at-sun.com
09/15/06 Sending the last email which is still unanswered
09/21/06 Public disclosure of this advisory

IX. CREDITS

The vulnerabilities were discovered by Marc Ruef.

     Marc Ruef, scip AG, Zuerich, Switzerland
     maru-at-scip.ch
     http://www.scip.ch

A1. BIBLIOGRAPHY

[1] http://news.com.com/Sun+to+buy+Tarantella/2100-1012_3-5701487.html
[2] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2006 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not 
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time 
of publishing based on currently available information. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or 
consequential loss or damage from use of or reliance on this advisory.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC