Cisco Unified Communications Manager setuid Binary Lets Local Users Gain Root Privileges
SecurityTracker Alert ID: 1024694|
SecurityTracker URL: http://securitytracker.com/id/1024694
(Links to External Site)
Date: Nov 8 2010
Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6, 7, 8|
A vulnerability was reported in Cisco Unified Communications Manager. A local user can obtain root privileges on the target system.|
A local user can supply specially crafted command line arguments to a set user id (setuid) binary to execute arbitrary commands on the target system with root privileges.
The vendor was notified on August 21, 2010.
Cisco has assigned Cisco bug IDs CSCti52041 and CSCti74930 to this vulnerability.
Knud Erik Hjgaard of nSense reported this vulnerability.
A local user can obtain root privileges on the target system.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: tools.cisco.com/security/center/viewAlert.x?alertId=21656 (Links to External Site)
Access control error, Input validation error|
Source Message Contents
Subject: nSense-2010-003: Cisco Unified Communications Manager|
nSense Vulnerability Research Security Advisory NSENSE-2010-003
Affected Vendor: Cisco Systems, Inc
Affected Product: Cisco Unified Communications Manager
Impact: Privilege Escalation
Vendor response: Patch. IntelliShield ID 21656
Credit: Knud / nSense
Cisco Unified Communications Manager contains a setuid binary
which fails to validate command line arguments. A local user
can leverage this vulnerability to gain root access by
supplying suitable arguments to the binary.
The application also contains unsafe function calls, such as
Proof of concept:
Aug 21st Contacted vendor PSIRT
Aug 23rd Vendor response. Vulnerability acknowledged
Aug 23rd More information sent to vendor
Sep 2nd Status update request sent to vendor
Sep 2nd Vendor response
Sep 3rd Vendor response. More information provided.
Sep 22nd Status update request sent to vendor
Sep 22nd Vendor response
Sep 23rd Vendor response. New release date suggested
Sep 23rd Agreed to the October 20th release date
Sep 23rd Vendor response
Oct 6th Requested schedule information from vendor
Oct 6th Vendor response. New release date suggested
Oct 6th Sent counterproposal to vendor
Oct 6th Vendor response. Requested Wednesday release
Oct 7th Agreed to the new release date
Oct 7th Vendor response
Nov 3rd Vendor confirms release and sends link
Nov 5th Advisory published
A thank you to Matthew Cerha / Cisco PSIRT for the coordination
"Remember, remember the Fifth of November"
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P
D r i v e n b y t h e c h a l l e n g e _