Reaction Information Security

Penetration testing at its best.

Network penetration testing, web application security, firewall review, CHECK pen testing, server build review, social engineering..


Safend Data Protection Agent (SDPAgent) Privilege Escalation via Unquoted Service Path

Summary

Safend Data is vulnerable to a privilege elevation vulnerability in the SDPAgent Windows service file relating to unquoted service paths.

  • CVE number: CVE-2012-4761
  • Impact: Medium
  • Vendor homepage: http://www.wave.com/products/safend-protector
  • Vendor notified: 11/09/2012
  • Vendor response: This will be fixed in the next release.
  • Credit: Joseph Sheridan of ReactionIS

Affected Products

Safend Data (Client software) 3.4.5586.9772. Other versions may also be affected.

Details

The SDPAgent Windows service path has spaces in the path and is not quoted:

C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe

Instead of:
"C:\Program Files\Safend\Data Protection Agent\SDPAgent.exe"

This could allow a user with write access to the c: drive to create a malicious C:\program.exe file (or even "c:\program files\safend\data.exe") which would be run in place of the intended file.

Impact

An attacker may be able to elevate privileges to local system level.

Solution

This issue will be fixed in the next release.

About ReactionIS

Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.

Get a Quote Online

Submit your testing requirements online and one of the team will get right back to you.

Penetration Testing Services

Firewall reviews, database audits, code reviews, social engineering and more..

Application Security

Ensure your web and mobile apps are safe from attack.

Read more