BlueCat Networks Proteus Input Validation Flaw Lets Remote Authenticated Administrators Gain Root Access on Adonis Devices
SecurityTracker Alert ID: 1018521|
SecurityTracker URL: http://securitytracker.com/id/1018521
(Links to External Site)
Updated: Aug 21 2007|
Original Entry Date: Aug 6 2007
Modification of system information, Root access via network|
Exploit Included: Yes |
A vulnerability was reported in BlueCat Networks Proteus. A remote authenticated administrator can gain root access on the target Adonis device.|
A remote authenticated Proteus administrator with privileges to deploy TFTP files to Adonis appliances can modify arbitrary files on the target appliance. A specially crafted file name containing directory traversal characters allows the user to overwrite files located outside of the intended '/tftpboot/' directory.
defaultroute of Template Security discovered this vulnerability.
A remote authenticated user can overwrite arbitrary files on the target Adonis devices.|
No solution was available at the time of this entry.|
The vendor is working on a fix.
Vendor URL: www.bluecatnetworks.com/ (Links to External Site)
Input validation error|
Source Message Contents
Subject: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access|
Template Security Security Advisory
BlueCat Networks Adonis root Privilege Access
Advisory ID: TS-2007-002-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Obtaining Patched Software
Template Security has discovered a serious user input
validation vulnerability in the BlueCat Networks Proteus IPAM
appliance. Proteus can be used to upload files to managed
Adonis appliances to be downloadable by TFTP from the
appliance. A Proteus administrator with privilege to add TFTP
files and perform TFTP deployments can overwrite existing files
and create new files as root on the Adonis DNS/DHCP appliance.
This can be used for example to overwrite the system password
database and change the root account password.
Proteus version 188.8.131.52 and Adonis version 184.108.40.206 were tested.
Proteus allows TFTP files to be named by an administrator, and
there is no data validation performed for user input such as
relative paths. Files are supposed to be copied only to the
/tftpboot/ directory, and the file copy is performed with root
privilege. This means for example that a file named
"../etc/shadow" will overwrite the shadow password database
Successful exploitation of the vulnerability will result in
root access on the Adonis appliance.
0) Create a new TFTP Group in a Proteus configuration.
1) Add a TFTP deployment role specifying an Adonis appliance to
2) At the top-level folder in the new TFTP group, add a file
named "../etc/shadow" (without the quotes) and load a file
containing the following line:
NOTE: The sshd configuration uses the default setting
'PermitEmptyPasswords no', so we specify a password of
3) Deploy the configuration to the Adonis appliance.
4) You can now login to the Adonis appliance as root with
$ ssh email@example.com
# cat /etc/shadow
NOTE: This example assumes SSH is enabled, iptables permits
port tcp/22, etc.
Many attack variations are possible, such as changing system
startup scripts to modify the iptables configuration on the
The attack can be prevented by creating an access right
override at the configuration level to disable TFTP access for
Obtaining Patched Software
Contact the vendor.
defaultroute discovered this vulnerability while performing a
security review of the Proteus IPAM appliance (a discovery
fueled by Red Bull and techno). defaultroute is a member of
2007-08-06: Revision 0 released