exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TS-2007-002-0.txt

TS-2007-002-0.txt
Posted Aug 8, 2007
Authored by Template Security

Template Security has discovered a serious user input validation vulnerability in the BlueCat Networks Proteus IPAM appliance. Proteus can be used to upload files to managed Adonis appliances to be downloadable by TFTP from the appliance. A Proteus administrator with privilege to add TFTP files and perform TFTP deployments can overwrite existing files and create new files as root on the Adonis DNS/DHCP appliance. This can be used for example to overwrite the system password database and change the root account password. Exploitation details provided. E

tags | exploit, root
SHA-256 | b0eb22efabd9f01f0e33d402c05a54ce9da6497be21f0ffd6bbb01e08c0d5664

TS-2007-002-0.txt

Change Mirror Download
Template Security Security Advisory
-----------------------------------

BlueCat Networks Adonis root Privilege Access

Date: 2007-08-06
Advisory ID: TS-2007-002-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0

Contents
--------

Summary
Software Version
Details
Impact
Exploit
Workarounds
Obtaining Patched Software
Credits
Revision History

Summary
-------

Template Security has discovered a serious user input
validation vulnerability in the BlueCat Networks Proteus IPAM
appliance. Proteus can be used to upload files to managed
Adonis appliances to be downloadable by TFTP from the
appliance. A Proteus administrator with privilege to add TFTP
files and perform TFTP deployments can overwrite existing files
and create new files as root on the Adonis DNS/DHCP appliance.
This can be used for example to overwrite the system password
database and change the root account password.

Software Version
----------------

Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested.

Details
-------

Proteus allows TFTP files to be named by an administrator, and
there is no data validation performed for user input such as
relative paths. Files are supposed to be copied only to the
/tftpboot/ directory, and the file copy is performed with root
privilege. This means for example that a file named
"../etc/shadow" will overwrite the shadow password database
"/etc/shadow".

Impact
------

Successful exploitation of the vulnerability will result in
root access on the Adonis appliance.

Exploit
-------

0) Create a new TFTP Group in a Proteus configuration.

1) Add a TFTP deployment role specifying an Adonis appliance to
the group.

2) At the top-level folder in the new TFTP group, add a file
named "../etc/shadow" (without the quotes) and load a file
containing the following line:

root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

NOTE: The sshd configuration uses the default setting
'PermitEmptyPasswords no', so we specify a password of
bluecat.

3) Deploy the configuration to the Adonis appliance.

4) You can now login to the Adonis appliance as root with
password bluecat.

$ ssh root@192.168.1.11
root@192.168.1.11's password:
# cat /etc/shadow
root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

NOTE: This example assumes SSH is enabled, iptables permits
port tcp/22, etc.

Many attack variations are possible, such as changing system
startup scripts to modify the iptables configuration on the
appliance.

Workarounds
-----------

The attack can be prevented by creating an access right
override at the configuration level to disable TFTP access for
each administrator.

Obtaining Patched Software
--------------------------

Contact the vendor.

Credits
-------

defaultroute discovered this vulnerability while performing a
security review of the Proteus IPAM appliance (a discovery
fueled by Red Bull and techno). defaultroute is a member of
Template Security.

Revision History
----------------

2007-08-06: Revision 0 released


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    16 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close