TS-2007-002-0: BlueCat Networks Adonis root Privilege Access

Template Security Security Advisory

  BlueCat Networks Adonis root Privilege Access

  Date: 2007-08-06
  Advisory ID: TS-2007-002-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/   Revision: 0

Contents

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary

  Template Security has discovered a serious user input   validation vulnerability in the BlueCat Networks Proteus IPAM   appliance. Proteus can be used to upload files to managed   Adonis appliances to be downloadable by TFTP from the   appliance. A Proteus administrator with privilege to add TFTP   files and perform TFTP deployments can overwrite existing files   and create new files as root on the Adonis DNS/DHCP appliance.   This can be used for example to overwrite the system password   database and change the root account password.

Software Version

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested.

Details

  Proteus allows TFTP files to be named by an administrator, and   there is no data validation performed for user input such as   relative paths. Files are supposed to be copied only to the   /tftpboot/ directory, and the file copy is performed with root   privilege. This means for example that a file named   "../etc/shadow" will overwrite the shadow password database   "/etc/shadow".

Impact

  Successful exploitation of the vulnerability will result in   root access on the Adonis appliance.

Exploit

  0) Create a new TFTP Group in a Proteus configuration.

1. Add a TFTP deployment role specifying an Adonis appliance to the group.
2. At the top-level folder in the new TFTP group, add a file named "../etc/shadow" (without the quotes) and load a file containing the following line:

     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: The sshd configuration uses the default setting
     'PermitEmptyPasswords no', so we specify a password of
     bluecat.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  3) Deploy the configuration to the Adonis appliance.

  4) You can now login to the Adonis appliance as root with

     password bluecat.

     $ ssh root@192.168.1.11
     root@192.168.1.11's password: 
     # cat /etc/shadow
     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: This example assumes SSH is enabled, iptables permits
     port tcp/22, etc.

  Many attack variations are possible, such as changing system   startup scripts to modify the iptables configuration on the   appliance.

Workarounds

  The attack can be prevented by creating an access right   override at the configuration level to disable TFTP access for   each administrator.

Obtaining Patched Software

  Contact the vendor.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Credits

  defaultroute discovered this vulnerability while performing a   security review of the Proteus IPAM appliance (a discovery   fueled by Red Bull and techno). defaultroute is a member of   Template Security.

Revision History

  2007-08-06: Revision 0 released Received on Mon Aug 6 13:38:36 2007