====================================================================== = Security Objectives Advisory (SECOBJADV-2008-05) = ====================================================================== Veritas Storage Foundation Arbitrary File Read Vulnerability http://www.security-objectives.com/advisories/SECOBJSADV-2008-05.txt AFFECTED: Veritas Storage Foundation 5.0 PLATFORM: Solaris, Linux, AIX, HP-UX CLASSIFICATION: Improper Ownership Management (CWE-282) RESEARCHER: Derek Callaway IMPACT: Arbitrary File Read SEVERITY: Medium DIFFICULTY: Trivial REFERENCES: CVE-2008-4638, SYM08-018, BID 31679 BACKGROUND Veritas Storage Foundation 5.0 from Symantec provides a complete solution for heterogeneous online storage management. Based on the industry-leading Veritas Volume Manager and Veritas File System, it provides a standard set of integrated tools to centrally manage explosive data growth, maximize storage hardware investments, provide data protection and adapt to changing business requirements. SUMMARY VxFS is an extent based, journaling filesystem. It implements a "Quick I/O for Databases" feature; qioadmin is the setuid root administration utility for this functionality. When given an arbitrary filename, it will write the file's contents to the standard error stream. ANALYSIS qioadmin will write arbitrary files (including /etc/shadow) to stderr. Each line will be prepended with a custom error message followed by file contents. Clearly, this can lead to privilege escalation by cracking the password ciphertext for the "superuser" or root account. WORKAROUND Remove the set-uid bit from the qioadmin binary. chmod u-s /opt/VRTS/bin/qioadmin VENDOR RESPONSE Symantec included a fix for this problem in the recent maintenance release Veritas Software File System 5.0 MP3. DISCLOSURE TIMELINE 11-Aug-2008 Discovery of Vulnerability 18-Aug-2008 Developed Proof-of-Concept 21-Aug-2008 Reported to Vendor 20-Oct-2008 Maintenance Release 22-Oct-2008 Published Advisory ABOUT SECURITY OBJECTIVES Security Objectives is a security centric consultancy and software development corporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed. http://security-objectives.com/ LEGAL Permission is granted for electronic distribution of this advisory. It may not be edited without the written consent of Security Objectives. The information contained in this advisory is believed to be accurate based on currently available information and is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you.