copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2006.0055 -- [Win] -- Patchlink Update Server and Novell ZENworks Patch Management multiple vulnerabilities

Date: 30 June 2006

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0055 -- AUSCERT ALERT
                                   [Win]
          Multiple vulnerabilities in Patchlink Update Server and
                     Novell ZENworks Patch Management
                               30 June 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              PatchLink Update Server 6.1 and 6.2
                      Novell ZENworks Patch Management 6.2 SR1 and prior
Publisher:            Novacoast
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Overwrite Arbitrary Files
                      Inappropriate Access
Access:               Remote/Unauthenticated

Comment: 
  This bulletin contains three separate Novacoast advisories describing
  vulnerabilities affecting both Patchlink Update Server and Novell
  ZENworks Patch Management.
         
  These potentially allow an attacker to execute arbitrary SQL
  statements on the PatchLink server as DBO, send malicious updates
  to clients or overwrite any files accessible by PLUS ADMINS.
         
  Patchlink has addressed these vulnerabilities in the following advisory:
  http://patchlink.custhelp.com/cgi-bin/patchlink.cfg/php/enduser/std_adp.php?p_faqid=303

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------
PatchLink Update Server 6 SQL Injection
- -------------------------------------------------------------
Severity: Critical
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
- -------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to execute sql statements in the
PatchLink database as DBO.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion
======

There is an SQL injection vulnerability in the checkprofile.asp script.
This
unauthenticated script uses posted variables in an SQL call, which can
be
exploited.

An unchecked, posted variable (agentid) is used to create an SQL
statement.
The statement is run as “PLUS ANONYMOUS” (who is a member of PLUS
ADMINS, and
the PLUS ADMINS group is dbo on the PLUS database) was the inserting
user.
Thus the database can be manipulated as DBO via this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

The example exploit given here will write the string “something”
into the
ReportErrors table:

   
http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT
    %20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20
   ('something')--

Recommended Solution
=============

Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




- -------------------------------------------------------------
PatchLink Update Server 6 PDP Anonymous Access
- -------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
- -------------------------------------------------------------

Synopsis
=====

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch
application. Exploitation of this vulnerability could allow the
attacker to
proxy requests by PatchLink Update Agents for patches, and thus
possibly
inject arbitrary packages into the PatchLink environment.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

PatchLink Distribution Point and FastPatch technology provide
intelligent
distribution across the entire enterprise minimizing deployment speeds
and
bandwidth utilization across the wide area network.

Discussion
======

The asp page “proxyreg.asp” does not properly authenticate
credentials when
accessed. The “proxyreg.asp” page appears to be used by the
PatchLink
FastPatch software, which allows roaming PatchLink agents to identify
proxy
servers on their network and connect to the closest or fastest
PatchLink
Distribution Point (PDP) automatically. The asp page returns a list of
PDP
servers in the organizations environment. An unauthenticated user can
list,
add, and remove PDP servers from this list.

This vulnerability would only affect organizations that use the
FastPatch
add-on product. Organizations that use SSL to protect their
agent-to-PLUS
communication will be unaffected by this attack.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) To list all Proxy servers use:

    http://plus.company.org/dagent/proxyreg.asp?List=

    Use username/password of null/null for authentication.

2) To add a new Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337

3) To delete a Proxy server, use:

    http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org


Recommended Solution
=============

1) Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

2) Workaround
    Deploy SSL certificate authentication to secure traffic between
agents
    and PLUS.


Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.




- -------------------------------------------------------------
PatchLink Update Server 6 File Overwrite
- -------------------------------------------------------------
Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)
- -------------------------------------------------------------

Synopsis
=====
Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to write or overwrite files on
the
PLUS filesystem.

Background
======

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks. 

Discussion
======

The application “nwupload.asp” allows unauthenticated connections,
and
performs file writes for the requester as the user “PLUS ANONYMOUS”
 (who is
a member of "PLUS ADMINS" Windows group by default).  No validation
checks
are performed to prevent directory traversal.

The application nwupload.asp writes a file into directories defined by
variables passed to the page, appended to a registry key value. By
default,
on a Windows 2003 server, the registry key points to:
“C:\Program Files\Patchlink\Update Server\Storage”. Since
directory
traversals are not checked for, it is possible to write to any folder
on the
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access
to.

Affected Version
=========

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit
====

None required.

1) An attacker can run:
   
http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=
    thisiscool&index=1

This will first delete the folder at:
    {regkey for storage directory}\one\two

then create the directory:
     {regkey for storage directory}\one\two

then write the file:
    {regkey for storage directory}\one\two\1.txt

The file 1.txt will have the contents of the "data" variable.

Recommended Solution
=============

Apply Vendor Patch
    PatchLink:
        PatchLink Update Server (PLUS) for 6.2 SR1 P1
        PatchLink Update Server (PLUS) for 6.1 P1
    Novell: 
       
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer
======
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRKSGIih9+71yA2DNAQJKDQP/dIbj9hXAIGjoOfURKwvPWvQs/GVemktY
PLVItwmDN96oyBLoU8b+Qjvi/xuu6rQfjnBr+6LmmIcjNjb0fcjzELcESk8f7573
Cjp5ONa5JVJnCKPgnNKfRttr3fLKSs5wRzqcPnwjN1Pb2p+Q7iWiTaWvQ4uJx1iR
+db3R5rWY9E=
=WgrZ
-----END PGP SIGNATURE-----