SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Brocade Switch Vendors:   Brocade Communications Systems
Brocade Fabric OS File Access Controls Let Local Users Obtain Potentially Sensitive Information on the Target System
SecurityTracker Alert ID:  1034278
SecurityTracker URL:  http://securitytracker.com/id/1034278
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 2 2015
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): 6.3.1b
Description:   A vulnerability was reported in Brocade Fabric OS. A local user can obtain potentially sensitive information.

A local user can obtain password hashes from the '/etc/passwd' file.

A local user may be able to exploit weak access permissions on world-writable and set user id (setuid) files to gain elevated privileges.

Karn Ganeshen reported these vulnerabilities.

Impact:   A local user can obtain potentially sensitive information on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.brocade.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [FD] Brocade Fabric OS v6.3.1b Multiple Vulnerabilities

# Title: [Brocade Fabric OS v6.3.1b - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.brocade.com]
# Versions Reported: Kernel 2.6.14.2 + FabOS v6.3.1b + BootProm 1.0.9

> *version*
Kernel:     2.6.14.2
Fabric OS:  v6.3.1b
BootProm:   1.0.9

1 *Default diagnostic accounts*
root and factory with default passwords documented in respective admin
guides. By default, both these users are not restricted and can SSH /
telnet in to the box.

2 *unix-passwd-in-etc-passwd*
Password hashes found in /etc/passwd files (All user hashes)

3 *unix-uid-0-accounts*
Multiple users have UID 0 privs

4 *unix-world-writable-files*
Multiple world writable files are present:
/etc/fabos/hil_wwn
/etc/fabos/cfgsave/factory/etc/hosts
/etc/raslog.ext
/etc/raslog.int
/etc/ipadmd_log.txt
/etc/hosts.0

5 *unix-user-home-dir-mode - weak access permissions*
The permissions for home directory of user basicswitchadmin was found to be
755 instead of 750.

6 *generic-passwd-shadow-group-file-permissions - weak access permissions*
The permission of file '/etc/shadow' is not 400.

7 *unix-partition-mounting-weakness*

/tmp partition does not have 'nosuid' option set.
/tmp partition does not have 'noexec' option set.
/tmp partition does not have 'nodev' option set.
/mnt partition does not have 'nodev' option set.

8 *unix-suid-writable*
Following world-writable suid files were found on the system:
/etc/fabos/hil_wwn(-r-xrw-rw-)

9 *unix-suid-script*
Multiple scripts with suid set were found on the system:

, wwn /fabos/sbin/coreshow /fabos/sbin/timeLineGet /fabos/bin/getIpAddr.sh
/fabos/ , , bin/userConfig /fabos/cliexec/authCmds /fabos/cliexec/config
/fabos/cliexec/conf , , igCmd /fabos/cliexec/configure
/fabos/cliexec/fcping /fabos/cliexec/fpcmd /fabos , , /cliexec/haadm
/fabos/cliexec/helpcmds /fabos/cliexec/ipAddr /fabos/cliexec/kill , ,
telnet /fabos/cliexec/ms /fabos/cliexec/savecore /fabos/cliexec/secCmds
/fabos/c , , /fabos/sbin/coreshow, /fabos/sbin/timeLineGet,
/fabos/cliexec/killtelnet, /fabos/cliexec/savecore,
/fabos/cliexec/ssave.sh, , supportsave /fabos/cliexec/supportsavestatus
/fabos/cliexec/switchcmd /fabos/cli , , exec/syscmd
/fabos/cliexec/trace_cli /fabos/standby_sbin/coreshow /fabos/libexec , ,
/coreffdc.sh /fabos/libexec/ethmode /fabos/libexec/getDefaultFID
/fabos/libexec/ , , ipc_showAll /fabos/libexec/secRoleCheck
/fabos/etc/swInst /fabos/webtools/htdocs , , /weblinker.fcg
/var/log/rcslog.old /var/log/fdmilog.txt /var/log/ficulog.txt /va , ,
r/log/nslog.txt /var/log/rcslog.txt /var/log/seclog.txt
/var/log/zonelog.txt && , , /fabos/cliexec/supportsavestatus,
/fabos/standby_sbin/coreshow, /fabos/libexec/coreffdc.sh,
/fabos/libexec/ipc_showAll, , g.txt /var/log/esslog.old
/var/log/ficulog.old /var/log/fdmilog.old /var/log/ess , , log.txt
/var/log/nslog.old /var/log/seclog.old /var/log/zonelog.old /var/log/snm ,
, plog.old /bin/passwd /bin/login /bin/login.nopam /bin/ping /sbin/fuser
/sbin/boo , , tenv /usr/bin/du /usr/bin/ppname /usr/bin/rcp /usr/bin/rlogin
/usr/bin/rsh, sr/sbin/sendmail
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC