首页 -> 安全研究

安全研究

安全漏洞
NAI PGP Keyserver Web管理接口验证可绕过漏洞

发布日期:2001-09-28
更新日期:2002-09-28

受影响系统:
Network Associates PGP Keyserver 7.0
Network Associates PGP Keyserver 7.0.1
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
    - Microsoft Windows 2000 Server
    - Microsoft Windows 2000 Datacenter Server SP2
    - Microsoft Windows 2000 Datacenter Server SP1
    - Microsoft Windows 2000 Datacenter Server
    - Microsoft Windows 2000 Advanced Server SP2
    - Microsoft Windows 2000 Advanced Server SP1
    - Microsoft Windows 2000 Advanced Server
    - Sun Solaris 8.0
    - Sun Solaris 7.0
    - Sun Solaris 2.6
描述:
BUGTRAQ  ID: 3375

PGP Keyserver是Network Associates的一个商业加密软件包,作为PGP公钥管理系统,提供LDAP特性。

PGP Keyserver存在一个漏洞,远程攻击者可以获得Web管理接口的管理权限。Web接口的管理员一般执行命令是通过如下链接:

http://www.example.com/keyserver/cgi-bin/console.exe?page_size=...
http://www.example.com/keyserver/cgi-bin/cs.exe?action=...

但是远程用户可以无需验证直接访问这些链接执行命令。恶意用户可以利用这个漏洞替换PGP Keyserver上的PGP密钥、获得系统的一些敏感信息以及对系统的合法用户进行拒绝服务攻击。

<*来源:Nobuo Miwa (snsadv@lac.co.jp
  
  链接:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html
*>

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* NAI提供了一个临时解决方法,参见http://www.pgp.com/support/product-advisories/keyserver.asp

------------------------------------------------
# NT版本修改
------------------------------------------------

1) 找到httpd.conf文件(默认安装在 C:\Program Files\Network Associates\PGP Keyserver\Web\conf)如下小节:

#
# "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.
#
<Directory "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin">
AllowOverride None
Options None
</Directory>

2) 改变成如下:

#
# "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.
#
<Directory "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin">
AllowOverride None
Options None
<Files ~ "(console|cs|multi_config|directory)\.(pl|exe)">
Order allow,deny
require valid-user
AuthType Basic
AuthName "PGP Keyserver Administration"
AuthUserFile "C:/Program Files/Network Associates/PGP Keyserver/Web/.allowed-admin"
</Files>
</Directory>

3) 重启Web服务器。

------------------------------------------------
SOLARIS版本修改
------------------------------------------------

1) 找到Solaris版本的httpd.conf文件 (默认安装在 /opt/PGPkeysrv/web/conf) 如下小节:

ScriptAlias /keyserver/cgi-bin/ "/opt/PGPkeysrv/web/cgi-bin/"

2) 在后面添加:

<Directory /keyserver/cgi-bin>
AllowOverride None
Options None
<Files ~ "(console|cs|multi_config|directory)\.(pl|exe)">
Order allow,deny
require valid-user
AuthType Basic
AuthName "protected area"
AuthUserFile /opt/PGPkeysrv/web/.allowed-admin
</Files>
</Directory>

3) 限制只能从192.168.3网段地址才能访问:

<Location />
AllowOverride None
Options None
require valid-user
AuthType Basic
AuthName "protected area"
AuthUserFile /opt/PGPkeysrv/web/.allowed-admin

# The default installation requires a login but is otherwise allowed
# from the world. To adjust this policy, read the apache documentation available
# at http://www.apache.org, and remove or comment these lines:
# Order allow,deny
# allow from all

# and uncomment these lines:
Order deny,allow
Deny from all
# and use some variations of some of these lines.

# allow from a particular IP:
# allow from 192.168.3.4
# allow from a particular network:
allow from 192.168.3
# allow from a hostname:
# allow from fredsmachine.yourdomain.com
# allow from your entire domain:
# allow from .yourdomain.com
# allow from your subdomain:
# allow from .infotech.yourdomain.com
</Location>

4) 添加必要的限制:

<Location ~ "/keyserver/cgi-bin/(console|cs|multi_config)\.(pl|exe)">
Order allow,deny
Allow from all
require valid-user
AuthType Basic
AuthName "PGP Keyserver Administration"
AuthUserFile "/opt/PGPkeysrv/web/.allowed-admin"
</Location>

<Location ~ "/keyserver/cgi-bin/directory\.(pl|exe)">
# use these lines for open access to directory utility.
# Order allow,deny
# Allow from all

# use these lines for closing access to directory utility:
Order deny,allow
Deny from all

# Use the model above or the Apache docs to add IP or domain-based restrictions.
allow from 192.168.3.4
</Location>

Web服务器必须重启。

厂商补丁:

Network Associates
------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.pgp.com

浏览次数:4226
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障