Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13377
HistoryJun 30, 2006 - 12:00 a.m.

Multiple Vulnerabilities in PatchLink Update Server 6

2006-06-3000:00:00
vulners.com
6
JSON

PatchLink Update Server 6 SQL Injection

Severity: Critical
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)

Synopsis

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to execute sql statements in the
PatchLink database as DBO.

Background

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion

There is an SQL injection vulnerability in the checkprofile.asp script.
This
unauthenticated script uses posted variables in an SQL call, which can
be
exploited.

An unchecked, posted variable (agentid) is used to create an SQL
statement.
The statement is run as “PLUS ANONYMOUS” (who is a member of PLUS
ADMINS, and
the PLUS ADMINS group is dbo on the PLUS database) was the inserting
user.
Thus the database can be manipulated as DBO via this attack.

Affected Version

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit

None required.

The example exploit given here will write the string “something”
into the
ReportErrors table:

http://plus.company.org/dagent/checkprofile.asp?agentid=11111';%20INSERT
%20INTO%20ReportErrors%20(ReportError_Description)%20VALUES%20
('something')–

Recommended Solution

Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer

Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

PatchLink Update Server 6 PDP Anonymous Access

Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)

Synopsis

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS) Distribution Point Server Listing for PatchLink's FastPatch
application. Exploitation of this vulnerability could allow the
attacker to
proxy requests by PatchLink Update Agents for patches, and thus
possibly
inject arbitrary packages into the PatchLink environment.

Background

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

PatchLink Distribution Point and FastPatch technology provide
intelligent
distribution across the entire enterprise minimizing deployment speeds
and
bandwidth utilization across the wide area network.

Discussion

The asp page “proxyreg.asp” does not properly authenticate
credentials when
accessed. The “proxyreg.asp” page appears to be used by the
PatchLink
FastPatch software, which allows roaming PatchLink agents to identify
proxy
servers on their network and connect to the closest or fastest
PatchLink
Distribution Point (PDP) automatically. The asp page returns a list of
PDP
servers in the organizations environment. An unauthenticated user can
list,
add, and remove PDP servers from this list.

This vulnerability would only affect organizations that use the
FastPatch
add-on product. Organizations that use SSL to protect their
agent-to-PLUS
communication will be unaffected by this attack.

Affected Version

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit

None required.

1) To list all Proxy servers use:

http://plus.company.org/dagent/proxyreg.asp?List=

Use username/password of null/null for authentication.

2) To add a new Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Proxy=www.hostileproxy.com:1337

3) To delete a Proxy server, use:

http://plus.company.org/dagent/proxyreg.asp?Delete=pdp1.company.org

Recommended Solution

1) Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

2) Workaround
Deploy SSL certificate authentication to secure traffic between
agents
and PLUS.

Disclaimer

Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

PatchLink Update Server 6 File Overwrite

Severity: Medium
Date: June 28, 2006
Class: Remote
Status: Patch Available
Discovered by: Chris Steipp, Novacoast (csteipp at novacoast dot com)

Synopsis

Novacoast has discovered a vulnerability in the PatchLink Update
Server
(PLUS). This could allow the attacker to write or overwrite files on
the
PLUS filesystem.

Background

PatchLink Update* is the core product of the leading patch and
vulnerability
management solution for medium and large enterprise networks.

Discussion

The application “nwupload.asp” allows unauthenticated connections,
and
performs file writes for the requester as the user “PLUS ANONYMOUS”
(who is
a member of "PLUS ADMINS" Windows group by default). No validation
checks
are performed to prevent directory traversal.

The application nwupload.asp writes a file into directories defined by
variables passed to the page, appended to a registry key value. By
default,
on a Windows 2003 server, the registry key points to:
“C:\Program Files\Patchlink\Update Server\Storage”. Since
directory
traversals are not checked for, it is possible to write to any folder
on the
PLUS that PLUS ANONYMOUS (or thus, the PLUS ADMINS group) has access
to.

Affected Version

PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
Novell ZENworks Patch Management 6.2. SR1

Exploit

None required.

1) An attacker can run:

http://plus.company.org/dagent/nwupload.asp?action=one&agentid=two&data=
thisiscool&index=1

This will first delete the folder at:
{regkey for storage directory}\one\two

then create the directory:
{regkey for storage directory}\one\two

then write the file:
{regkey for storage directory}\one\two\1.txt

The file 1.txt will have the contents of the "data" variable.

Recommended Solution

Apply Vendor Patch
PatchLink:
PatchLink Update Server (PLUS) for 6.2 SR1 P1
PatchLink Update Server (PLUS) for 6.1 P1
Novell:

http://support.novell.com/cgi-bin/search/searchtid.cgi?10100709.htm

Disclaimer

Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.

JSON