exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Enomaly ECP/Enomalism Code Execution

Enomaly ECP/Enomalism Code Execution
Posted Feb 13, 2009
Authored by Sam Johnston

All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism that could allow a remote attacker to execute arbitrary code as root.

tags | advisory, remote, arbitrary, root
SHA-256 | 9f314c7d809a33fd1f2f922ca6d89e8825901419404addfcf7d0d5e4c2e48bca
Download | Favorite | View

Enomaly ECP/Enomalism Code Execution

Change Mirror Download
Enomaly ECP/Enomalism: Silent update remote command execution vulnerability

Synopsis

All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism
that could allow a remote attacker to execute arbitrary code as root.

Background

Enomaly ECP (formerly Enomalism) is management software for virtual machines.

Description

Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the main Enomaly ECP daemon (enomalism2d)
includes an undocumented silent update mechanism that insecurely downloads and
executes code from Enomaly's corporate web server.

Enomaly ECP silently attempts to receive and forcibly install unsigned python
modules over HTTP from http://enomaly.com/fileadmin/eggs/ (currently exception
drivemounter, and phone_home) when encountering any error loading any module.
This allows for remote, privileged exploitation without any user intervention.

Impact

Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it is possible to execute arbitrary
commands as the root user on any server requesting an update. An attacker may
also be able to trigger the update mechanism by inducing any condition where
modules fail to load, e.g. exhausting memory by making many web requests.

Workaround

Resolve enomaly.com to 127.0.0.1 in affected servers' hosts files.

Resolution

There is no resolution at this time as the feature cannot be disabled. Vendor
claims that the vulnerability is by design and has no plans to release a fix.

History

2009-02-09 Bug initially reported to Enomaly by mail
2009-02-09 CVE requested from Mitre; TBA
2009-02-10 Product Development Manager acknowledged receipt:
"This is by design, it's a method to allow modules to be downloaded and
installed as needed. It's a recovery mechanism for borked installs (which
happen quite frequently with easy_install).  None of this stuff is exploitable
or malicious under any normal circumstances."
2009-02-12 Publication of vulnerability
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close