SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Security Readiness Review (SRR) Evaluation Scripts Vendors:   DISA
DISA UNIX Security Readiness Review (SRR) Evaluation Scripts Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1023265
SecurityTracker URL:  http://securitytracker.com/id/1023265
CVE Reference:   CVE-2009-4211   (Links to External Site)
Updated:  Dec 11 2009
Original Entry Date:  Dec 3 2009
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): October 15, 2009 version; December 7, 2009 version; possibly other versions
Description:   A vulnerability was reported in DISA's UNIX Security Readiness Review (SRR) Evaluation Scripts. A local user can obtain root privileges on the target system.

The scripts conduct a 'find' command search for certain named files and then invokes the files with root privileges. A local user can create a specially named executable file containing arbitrary code. When the SRR scripts are run, the arbitrary code will be executed with root privileges.

The following filenames are executed:

java -version
openssl version
php -v
snort -V
tshark -v
vncserver -help
wireshark -v

If a remote user is permitted to upload executable files with arbitrary file names, then this vulnerability may be exploited remotely.

SRR scripts for other platforms were not evaluated.

US-CERT was notified on September 21, 2009 and US-CERT VU #433821 was assigned.

Frank Stuart reported this vulnerability.

Impact:   A local user can execute arbitrary code with root privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  iase.disa.mil/stigs/SRR/index.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) root compromise / VU#433821

This is a multi-part message in MIME format.
--------------050101080309030808000804
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Executive Summary
- -----------------

Unprivileged local users can obtain root access on Unix systems where
the DISA SRR scripts are run.  If a remote user can introduce a file
into the filesystem (e.g. anonymous ftp, http upload, cdrom, samba
share, etc.), root access may be obtained by remote, and potentially
anonymous, users.

Software Description
- --------------------

The U.S. Defense Information Systems Agency (DISA) publishes Security
Readiness Review scripts (SRRs) to ensure systems and software meet
security baselines required by the Department of Defense.  The SRRs are
commonly run on military systems and DISA makes them available to other
government agencies and the general public (at their own risk) at
http://iase.disa.mil/stigs/SRR/index.html.

This vulnerability report applies to the current (October 15, 2009) Unix
SRR.  It was tested on Solaris/x86 only but is expected to be applicable
to all Unix/Linux versions supported by the software.  DISA publishes
SRR updates approximately once every two months and it is believed that
many previous versions are also vulnerable.

DISA also publishes SRR scripts for other software/operating systems
(e.g. Windows Vista, Oracle database, Open VMS).  These could contain
similar vulnerabilities (I haven't gone looking for them).

Vulnerability Description
- -------------------------

The Unix SRR must be run as root and one of the first things it does is
a global find from /.  It then runs a series of modular scripts looking
for specific vulnerabilities or Potential Discrepancy Items (PDIs).

Some of the PDIs include checks for specific versions of software.
Unfortunately, in some cases, it runs these unknown/untrusted/suspect
programs as root in an attempt to determine the version of the software
it found.

The following programs are known to be run:

     java -version
     openssl version
     php -v
     snort -V
     tshark -v
     vncserver -help
     wireshark -v

An attacker can, for example, create an executable or shell script with
a root kit installer called "php", anywhere in the filesystem.  When the
SRR is run, it will execute "php -v" as root and the root kit will be
installed.  A clever attacker could print out the "good" version string
of php and silently install the root kit.  A very clever attacker could
do the above and then replace the fake php with the real one, covering
his tracks.


Suggested Workaround
- --------------------

Do not run the DISA Unix SRR script until a fix is available.

Suggested Fix
- -------------

The publisher should do a comprehensive review of their software to make
sure they eliminate all cases where they execute
unknown/untrusted/suspect code as root.  Ideally, they should not
execute such code at all, even as an unprivileged user.  A better
approach would be to use "strings" or something similar to look for a
signature to try to determine the version of the software it found.


Vulnerability Reporting/Tracking
- --------------------------------
Reported to CERT Coordination Center September 21, 2009.  Assigned
tracking number VU#433821.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSxdPY2KGA6cQSpZSAQJy4wf+MRAEiaL9jcHOHqReWBxyf+jSSsU8fxzK
uIDrJ03Dxg6cJuhiwSHkTbzlP7ay/O7xLY7e5PG3B42eSUTd5Fx1Nxauoo9TpSqY
yupE6i2lpOB1nXhjRdlEbuddzLTmBhcHL4K/PqG6EoN5gGbSBe15Jon7DPh681SQ
4AbFTX/8c/fs0KE+6w6J52Bq8mtY6KVDBZ2+yqnY6QSeH6k5+avb8skoeD2YR30y
OdMqwo11++z85FQ7Fih+GMeNSYTDDED61hbwsQaWnuS9kkil1FiMTGbNcWoKWORd
w3E2IQs6c4WxPeISw6bbsyCpm+nTDjDAw6gfkejvRVtD9HKjG7CL1Q==
=hWBM
-----END PGP SIGNATURE-----

--------------050101080309030808000804
Content-Type: text/x-vcard; charset=utf-8;
 name="fstuart.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="fstuart.vcf"

begin:vcard
fn:Frank Stuart
n:Stuart;Frank
org:F. Stuart Consulting, LLC
adr;dom:;;;Montgomery;AL
email;internet:fstuart@fstuart.com
title:Owner, Senior Unix Consultant
tel;cell:703-599-7777
x-mozilla-html:TRUE
url:http://www.fstuart.com/
version:2.1
end:vcard


--------------050101080309030808000804--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC