Safend Data Protector Multiple Vulnerabilities
Safend Data Protector Multiple Vulnerabilities (Client software) =
3.4.5586.9772:
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-private-key-log-file.h=
tml
Details
CVE number: CVE-2012-4767
The private key data is in the securitylayer.log file in a directory =
called "logs.9772". This key could potentially be used to decrypt =
communications between the client and server and ultimately affect the =
security policies applied to the machine.
Impact
An attacker may be able to decrypt and potentially change the Safend =
security policies applied to the machine.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-write-dac-pri=
v-esc.html
Details
CVE number: CVE-2012-4760
The SDBagent service has 'WRITE_DAC' privileges set for all local users. =
The WRITE_DAC privilege would allow a local user to rewrite the acl and =
give himself full control of the file which could then be trojaned to =
gain full local admin privileges. The following is the output from the =
cacls command:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe =
BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Impact
An attacker may be able to elevate privileges to local administrator =
level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-write-dac-pri=
v-esc.html
Details
CVE number: CVE-2012-4760
The SDPagent service has 'WRITE_DAC' privileges set for all local users. =
The WRITE_DAC privilege would allow a local user to rewrite the acl and =
give himself full control of the file which could then be trojaned to =
gain full local admin privileges. The following is the output from the =
cacls command:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe =
BUILTIN\Users:(special access:)
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
Impact
An attacker may be able to elevate privileges to local administrator =
level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdbagent-unquoted-path=
-priv-esc.html
Details
CVE number: CVE-2012-4761
The SDBAgent Windows service path has spaces in the path and is not =
quoted:
C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDBAgent.exe"
This could allow a user with write access to the c: drive to create a =
malicious C:\program.exe file (or even "c:\program =
files\safend\data.exe") which would be run in place of the intended =
file.
Impact
An attacker may be able to elevate privileges to local system level.
Advisory Link:
http://www.reactionpenetrationtesting.co.uk/safend-sdpagent-unquoted-path=
-priv-esc.html=20
Details
CVE number: CVE-2012-4761
The SDPAgent Windows service path has spaces in the path and is not =
quoted:
C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe
Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"
This could allow a user with write access to the c: drive to create a =
malicious C:\program.exe file (or even "c:\program =
files\safend\data.exe") which would be run in place of the intended =
file.
Impact
An attacker may be able to elevate privileges to local system level.
Best regards,
Joe
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.co.uk=20
Email: joe@reactionis.co.uk
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
=20
This email and any files transmitted with it are confidential and are =
intended solely for the use of the individual to whom they are =
addressed. If you are not the intended recipient please notify the =
sender. Any unauthorised dissemination or copying of this email or its =
attachments and any use or disclosure of any information contained in =
them, is strictly prohibited.
=EF=81=90 Please consider the environment before printing this email