SafeNet SAS OWA Agent Directory Traversal Vulnerability

On the 18th August, 2014, AppCheck reported a Directory Traversal Vulnerability in the SafeNet SAS Outlook Web Access Agent that, without requiring any user authentication, allows a remote attacker to gain access to any file located on the remote server’s local hard drives.

 

Vulnerability Summary

 

The SafeNet Authentication Service (SAS) Outlook Web Access Agent (formally CRYPTOCard) provides two-factor authentication for systems running on Microsoft Information Server (IIS) including Outlook Web Access (OWA) in order to increase levels of security for Microsoft enterprise customers.

Using this vulnerability it is possible to locate and retrieve files including:
• IIS Server logs and configuration files for any locally hosted website
• MS Windows configuration files
• SAS configuration files, including the Agent Encryption Key and log files
• Access any other files located on the Windows server.

From initial investigations, it appears that all versions up to and including version 1.03.20091 are vulnerable to this issue, running on all current versions of Microsoft Outlook Web Access.

 

Technical Details

 

When the SAS Agent for Outlook Web Access is installed, depending on how the customer chooses to configure the server, the standard OWA login form is replaced to allow the user to enter additional login information, such as a One Time Password (OTP).

When reviewing the page source, the following lines are observed at the beginning of the file:

<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8" />
<meta name="Robots" content="NOINDEX, NOFOLLOW" />
<title>CRYPTOCard Authentication Form - Outlook Web Access</title>
<link rel="SHORTCUT ICON" href="/owa/?Application=Exchange&GetFile=bsid.ico" />
<link type="text/css" rel="stylesheet" href="/owa/?Application=Exchange&GetFile=logon.css" />
<link type="text/css" rel="stylesheet" href="/owa/?Application=Exchange&GetFile=owafont.css" />
<script type="text/javascript" src="/owa/?Application=Exchange&GetFile=flogon.js"></script>
<script type="text/javascript" src="/owa/?Application=Exchange&GetFile=cryptocard.js"></script>

 

As can be seen above, the GetFile parameter is used to provide a link to the an image or javascript file.
However, the application fails to sanitise the input passed to this parameter with the result that almost any file path passed to GetFile will be loaded and returned to the attacker.

For example, the following URL will return the remote server’s c:\boot.ini file:

https://url/owa/owa?Application=Exchange&
       GetFile=..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini

 

Using this vulnerability it is possible to retrieve almost any file from the remote web server, including IIS web.config files (which may include database connection strings), backup SAM/SYSTEM files or any other configuration file stored on the affected server.

 

Vendor Response

The vendor was notified on the 18th August 2014 and assigned the issue ID SASIL-438 to this vulnerability. They have since released a patch, SAS OWA Agent build 1.03.30109 that resolves the issue. Further details can be found via the SafeNet Support Portal.

Customers are recommended to install the latest patch as a matter of urgency.

 

CVE Details

 

The Common Vulnerabilities and Exposures (CVE) project has assigned the below name to this issue. This is a candidate for inclusion in the CVE list (cve.mitre.org), which standardises names for security problems.

The following CVE id has been assigned to this issue: CVE-2014-5359 – SafeNet SAS IIS Agent Security Vulnerability

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial