exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DDN SFA Privilege Escalation

DDN SFA Privilege Escalation
Posted Jun 15, 2016
Authored by John Fitzpatrick

DDN SFA suffers from a privilege escalation vulnerability.

tags | advisory
SHA-256 | 8685f5cd2b43437141d6700fcd38911bb8804b7c0342311a9bbe76773a26134b

DDN SFA Privilege Escalation

Change Mirror Download
###[DDN Insecure Update Process]###

An insecure update mechanism on DDN SFA devices allows for privilege escalation

* Product: DDN SFA storage devices, all versions, all models
* Severity: High
* CVE Reference: NO CVE ASSIGNED - MWR ref: MWR-2016-0001)
* Type: Insecure update mechanism
* Author: John Fitzpatrick
* Date: 2016-06-15


## Description

The mechanism used for updating firmware on DDN controllers is insecure allowing for privilege escalation to root.


## Impact

Exploitation of this issue can allow for code execution as root allowing an adversary to gain full access to the DDN controller.


## Cause

This is caused by an insecure firmware update mechanism which does not validate the legitimacy of the firmware being uploaded.


## Interim Workaround

MWR strongly recommend restricting access to all DDN management interfaces via the use of ACLs until DDN provide an appropriate resolution to this issue. In addition it should be ensured that appropriate mitigating controls are implemented for the accompanying advisory “DDN Default SSH Keys – MWR-2016-0002” and that default user account passwords are changed.


## Solution

There is no vendor supplied solution to this vulnerability. When DDN have resolved this vulnerability DDN users should apply the appropriate fixes.

It is recommended that DDN implement a signing mechanism that validates that firmware is from a trusted source before attempting to deploy it. Making use of public key cryptography in order to sign firmware would be a suitable approach if correctly implemented. DDN have, however, chosen not to comment on their preferred resolution or its progress but have indicated that they may resolve this issue towards the end of 2016.


## Further Information

DDN firmware is provided as a .tar file. Within this archive is another archive containing the contents of the filesystem which, when an update is run, is extracted and deployed to disk. A number of shell scripts also execute during the update process and these are executed as root. Therefore, by either manipulating the shell scripts or by modifying the filesystem contents within the archive, it is possible perform activities which would provide full root access to the DDN device.

There is a signing mechanism in place; however, this is focused on ensuring files are not corrupt rather than ensuring that files are from a legitimate source. Within janus.md5 is a list of MD5 checksums for all files within the archive. These entries can simply be replaced with new MD5s as appropriate.

In order to perform an update, it is necessary to have access to accounts on the DDN controller. Our testing was performed via SSH using the firmware account to drop the firmware. This account has a very guessable password set by default. The ddn user account was then used in order to load the new config/firmware via the appropriate menu options. The ddn user also has a default password set, but this is much less guessable. However, even if the default passwords have been changed it will be possible to use the default SSH keys described in MWR-2016-0002 (DDN Default SSH Keys) in order to gain the required level of access in order to deploy the new firmware.

Ironically, successful exploitation of this insecure update mechanism allows DDN users to remove the default SSH keys and secure their devices. Whether this would impact support contracts or warranties with DDN or other suppliers is unknown.

This advisory will be updated should DDN choose to provide an appropriate solution to this security issue.


## Timeline

2016-03-09: Initial contact made with DDN
2016-03-14: Conference call with DDN engineers
2016-03-15: Full vulnerability details provided to DDN
2016-05-16: Advisory released for limited disclosure
2016-06-15: Advisory released

(Thanks to those who were key in identifying this vulnerability)

The full MWRLabs maintained advisory can be found here: https://labs.mwrinfosecurity.com/advisories/ddn-insecure-update-process/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close