Re: [Veritas-bu] Unquoted path vulnerability
2013-05-08 13:32:06
Someone has created a set of scripts to check machines for vulnerable service definitions and optionally fix them:
Thanks for bringing this to our attention. Neil
We've ran into this on some other servers. Double-quoting the entire path was our solution. -------------------------------------------- Jason Brooks Sr. Computer Systems Engineer Longwood University 201 High St Farmville, VA 23909 <mailto:brooksje AT longwood DOT edu> Voice: 434-395-2034 ________________________________________ From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Lightner, Jeff [JLightner AT water DOT com] Sent: Tuesday, May 07, 2013 5:02 PM To: Preston, Douglas; 'Reynolds, Susan K.'; 'veritas-bu AT mailman.eng.auburn DOT edu' Subject: Re: [Veritas-bu] Unquoted path vulnerability
Looks like this document disucsses the exploit in general.
http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/sc-report-files/Microsoft%20Windows%20Unquoted%20Service%20Path%20Enumeration.pdf
It appears someone solved a similar issue as described here: http://splunk-base.splunk.com/answers/69268/the-remote-windows-host-has-at-least-one-service-installed-that-uses-an-unquoted-service-path
Based on what is written in that latter it appears you might be able to solve this more specifically by searching in your registry for the INET/Netbackup thing it is complaining about and putting double quotes around it rather than the hack suggested below.
-----Original Message----- From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Preston, Douglas Sent: Tuesday, May 07, 2013 4:54 PM To: 'Reynolds, Susan K.'; 'veritas-bu AT mailman.eng.auburn DOT edu' Subject: Re: [Veritas-bu] Unquoted path vulnerability
I went through and updated all my registry entries that had C:\Program Files\ to C:\Progra~1\ This fixes the issue. I run on a 32 bit OS, on a 64bit OS the 1 in progra~1 may be a different number.
The real problem is that a person could create a folder called Program and load an executable called Fileswhatever in there and the path of the service not being quoted may look in c:\Program\ instead of "c:\Program Files\"
Doug Preston
-----Original Message----- From: veritas-bu-bounces AT mailman.eng.auburn DOT edu [mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Reynolds, Susan K. Sent: Tuesday, May 07, 2013 1:45 PM To: veritas-bu AT mailman.eng.auburn DOT edu Subject: [Veritas-bu] Unquoted path vulnerability
Has anyone heard of this being a security issue before:
+++
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.
Ensure that any services that contain a space in the path enclose the path in quotes.
Nessus found the following service with an untrusted path: NetBackup INET Daemon : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
+++ _______________________________________________ Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer
--------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ----------------------------------
_______________________________________________ Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu _______________________________________________ Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
|
|