|
|
|
Verastream Integration Broker Security Vulnerability (iDefense Advisory 11.15.05)
Technical Note 10070
Last Reviewed 15-Mar-2007
Applies To
Verastream Integration Broker version 9.9 or earlier
Microsoft Windows
Summary
Technical Note 10070
Last Reviewed 15-Mar-2007
Applies To
Verastream Integration Broker version 9.9 or earlier
Microsoft Windows
Summary
This technical note describes a security vulnerability in Verastream Integration Broker (VIB). Please evaluate your exposure and apply the recommended workarounds.
Issue
This security vulnerability results from the behavior of the Windows CreateProcess() and CreateProcessAsUser() APIs when they are called in a certain way. If there are one or more spaces in the path name of the process being created, then under certain conditions, Windows could launch an executable whose name matches the process name when truncated at a space in the path name.
To exploit this vulnerability, some other attack would be needed to get a malicious executable file installed in the correct location with the correct name.
This vulnerability has been found to exist in Windows applications from numerous vendors. Additional information can be found on the iDefense Advisory web site, http://www.idefense.com/intelligence/vulnerabilities/display.php?id=340, or on the French Security Incident Response Team web site, http://www.frsirt.com/english/reference/901.
Details and Workarounds
Registering VCP Server Components
VCP server registrations (saved in PARDIR/snregtab.dat) are not vulnerable, as these executable command lines are always quoted.
Registering Partitioning Servers
The Edit Partitioning Tables (Partitioning Table Maintenance) administrative tool is used to create distributed services (such as Data Server). To avoid the vulnerability, use quotes when entering a local directory containing spaces.
Partitioning server registrations are saved in PARDIR/dpclient.dat of the server system. The default Windows installation does not use any partitioning server registrations.
PRINTER Object Printers of Type "v"
If you define a printer of type "v" (temporary file), your command (device) should be enclosed in quotes if it contains spaces.
Note: The PRINTER object is deprecated, originally for use in character-based and GUI application development. Printers of type "v" are normally not used on Windows, and none are created by the default Windows installation.
Executing External Commands in VSL Code
VSL programmers using the functions PROGRAM BASE, PROGRAM_SILENT BASE, or PROGRAM_NOWAIT BASE should make sure paths containing spaces are quoted.
Note: In version 9.8 and earlier, if you are opening a document file (starting an application associated with the file extension), the quoted command may fail or execute slowly. To avoid this problem, do one of the following:
- Update VIB to version 9.9.
- Use a complete command that includes the executable (with quotes).
- Use an 8.3-equivalent short name.
- Move document files to a directory path without spaces.
- Use a complete command that includes the executable (with quotes).
- Use an 8.3-equivalent short name.
- Move document files to a directory path without spaces.
Help in Process Integrator and Data Integrator
This vulnerability exists in version 9.8 and earlier. The product online help opens an external web browser, by default based on the system HTML file type association. To work around the vulnerability:
- Edit your sn.ini file
- Find the existing line that sets the HTMLBROWSE environment variable.
HTMLBROWSECMD=<HTML> |
- Set HTMLBROWSECMD to include the explicit quoted path of your web browser. Example:
HTMLBROWSECMD="C:\Program Files\Internet Explorer\IEXPLORE.EXE" "<HTML>" |
- Save your modified sn.ini file
HTML Preview in Data Integrator and Repository Manager
This vulnerability exists in version 9.8 and earlier. The HTML preview of query results opens an external web browser. To workaround the vulnerability, edit the sn.ini as directed in the previous section.
Master-Detail Wizard
This vulnerability exists in version 9.8 and earlier. The Master-Detail Wizard is used to generate a VSL application for displaying and editing database tables that have a one-to-many relationship. In step 7 (Finish tab) of the wizard there is an option to start the application through the system association of the .lgc file extension. This option is labeled: "Exit and execute the default MS-Registry command for VSL files (i.e., Open)."
To avoid the vulnerability in version 9.8, save the .lgc file in a path without spaces, or do not use this option (manually execute the application separately after exiting the wizard).
Starting the Visual Tracer in Process Integrator
This vulnerability exists in version 9.8 and earlier. To workaround this issue in version 9.8, install VIB in a path that does not contain a space character. This issue is fixed in version 9.9.
Starting the Tracer in Component Developer
This vulnerability exists in version 9.8 and earlier. To work around the vulnerability:
- Edit your sn.ini file
- Find the existing line that sets the SNTRCEXE environment variable.
SNTRCEXE=%SNPRODUCTROOTDIR%\bin\novatrc -w |
- Add quotes to the path as follows:
SNTRCEXE="%SNPRODUCTROOTDIR%\bin\novatrc" -w |
- Save your modified sn.ini file
Future Updates
Attachmate posts notifications of security vulnerabilities on our support site. Check http://support.attachmate.com/ for updates about Verastream products.
