eEye Retina audit script could execute untrusted programs as root

Overview

eEye Retina audit scripts have the capability to run remote shell scripts in order to determine vulnerable applications. One audit script in particular (audit ID 2499) uses find(1) and execute (-exec) when assessing a vulnerability within Gauntlet Firewall. An attacker who can write an executable file in the portion of the file system searched with the find command may be able to exploit this vulnerability to execute arbitrary code with the same privileges provided to Retina to perform a vulnerability scan.

Description

The eEye Retina Network Security Scanner software executes various audits against target systems to conduct security vulnerability assessment testing. eEye provides audit scripts to help perform security reviews of various

operating systems and applications. One audit script for Solaris, HP-UX, and IRIX systems (audit ID 2499) checks the program version by searching the /usr/local portion of the file system and executing a file with options to display version information. The script executes a program based on file name. If an attacker can place an executable file with an appropriate name in /usr/local, that file will be executed by the audit script.

Reported vulnerable audit script:
Audit ID (2499) tests for the version of Gauntlet Firewall software installed under /usr/local on Solaris, HP-UX, and IRIX target machines with the following line of UNIX shell script: find /usr/local -name gauntlet -exec {} -v \

eEye recommends using unprivileged accounts when scanning hosts with the Retina product. However, the option does exist for user of Retina to provide a root credential to perform scans. In addition eEye provides documentation with warnings on how to run scans with sudo.

---

Impact

An attacker who is able to write an executable file under the /usr/local file system (most likely, but not necessarily a local user) can execute arbitrary code with the same privileges provided to Retina to perform the vulnerability scan.

---

Solution

Update

The vendor has reported that this vulnerability has been fixed in audits revision 2424, released on 10/3/2011.

---

eEye Retina recommends the following workarounds:

* Do not allow unprivileged users write access to /usr/local and its subdirectories on Solaris, HP-UX, and IRIX systems.
* Remove audit 2499 from the scan policy.
* Perform vulnerability scans with unprivileged (non-root) user accounts.  

Determine version information safely

Take care when executing programs as root, to determine version information or for any other reason.

* Determine version information passively, for instance, by checking file properties.
* Execute programs with version options using a non-privileged account.
* Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.
* ---  

Vendor Information

448051

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

eEye __ Affected

Notified: September 30, 2011 Updated: November 09, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Fixed in audits revision 2424. Released 10/3/2011.

Vendor References

• <http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AL20111108&gt;

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.eeye.com/products&gt;
• <http://www.eeye.com/Support/Knowledge-Base/Article.aspx?id=KB000883&gt;
• <http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AL20111108&gt;

Acknowledgements

Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2011-3337
Severity Metric:	0.13 Date Public: