SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Embedded Server/Appliance)  >  Proteus Vendors:  BlueCat Networks
BlueCat Networks Proteus Input Validation Flaw Lets Remote Authenticated Administrators Gain Root Access on Adonis Devices
SecurityTracker Alert ID:  1018521
SecurityTracker URL:  http://securitytracker.com/id?1018521
CVE Reference:  CVE-2007-4226   (Links to External Site)
Updated:  Aug 21 2007
Original Entry Date:  Aug 6 2007
Impact:  Modification of system information, Root access via network
Exploit Included:  Yes  
Version(s): 2.0.2.0
Description:  A vulnerability was reported in BlueCat Networks Proteus. A remote authenticated administrator can gain root access on the target Adonis device.

A remote authenticated Proteus administrator with privileges to deploy TFTP files to Adonis appliances can modify arbitrary files on the target appliance. A specially crafted file name containing directory traversal characters allows the user to overwrite files located outside of the intended '/tftpboot/' directory.

defaultroute of Template Security discovered this vulnerability.

Impact:  A remote authenticated user can overwrite arbitrary files on the target Adonis devices.
Solution:  No solution was available at the time of this entry.

The vendor is working on a fix.
Vendor URL:  www.bluecatnetworks.com/ (Links to External Site)
Cause:  Input validation error
Reported By:  "anonymous.c7ffa4057a" <anonymous.c7ffa4057a@anonymousspeech.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 07 Aug 2007 01:57:18 +0900
From:  "anonymous.c7ffa4057a" <anonymous.c7ffa4057a@anonymousspeech.com>
Subject:  TS-2007-002-0: BlueCat Networks Adonis root Privilege Access

 
Template Security Security Advisory
-----------------------------------

  BlueCat Networks Adonis root Privilege Access

  Date: 2007-08-06
  Advisory ID: TS-2007-002-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
  Revision: 0

Contents
--------

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary
-------

  Template Security has discovered a serious user input
  validation vulnerability in the BlueCat Networks Proteus IPAM
  appliance.  Proteus can be used to upload files to managed
  Adonis appliances to be downloadable by TFTP from the
  appliance.  A Proteus administrator with privilege to add TFTP
  files and perform TFTP deployments can overwrite existing files
  and create new files as root on the Adonis DNS/DHCP appliance.
  This can be used for example to overwrite the system password
  database and change the root account password.

Software Version
----------------

  Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested.

Details
-------

  Proteus allows TFTP files to be named by an administrator, and
  there is no data validation performed for user input such as
  relative paths.  Files are supposed to be copied only to the
  /tftpboot/ directory, and the file copy is performed with root
  privilege.  This means for example that a file named
  "../etc/shadow" will overwrite the shadow password database
  "/etc/shadow".

Impact
------

  Successful exploitation of the vulnerability will result in
  root access on the Adonis appliance.

Exploit
-------

  0) Create a new TFTP Group in a Proteus configuration.

  1) Add a TFTP deployment role specifying an Adonis appliance to
     the group.

  2) At the top-level folder in the new TFTP group, add a file
     named "../etc/shadow" (without the quotes) and load a file
     containing the following line:
  
     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: The sshd configuration uses the default setting
     'PermitEmptyPasswords no', so we specify a password of
     bluecat.

  3) Deploy the configuration to the Adonis appliance.

  4) You can now login to the Adonis appliance as root with
     password bluecat.

     $ ssh root@192.168.1.11
     root@192.168.1.11's password: 
     # cat /etc/shadow
     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: This example assumes SSH is enabled, iptables permits
     port tcp/22, etc.

  Many attack variations are possible, such as changing system
  startup scripts to modify the iptables configuration on the
  appliance.

Workarounds
-----------

  The attack can be prevented by creating an access right
  override at the configuration level to disable TFTP access for
  each administrator.

Obtaining Patched Software
--------------------------

  Contact the vendor.

Credits
-------

  defaultroute discovered this vulnerability while performing a
  security review of the Proteus IPAM appliance (a discovery
  fueled by Red Bull and techno).  defaultroute is a member of
  Template Security.

Revision History
----------------

  2007-08-06: Revision 0 released


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC