NCCGroup EasyDA Credential Disclosure

2014-04-04T00:00:00
ID PACKETSTORM:126015
Type packetstorm
Reporter 0a29406d9794e4f9b30b3c5d6702c708
Modified 2014-04-04T00:00:00

Description

                                        
                                            `~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
_______ ________ ________ _____ _______  
\ _ \ _____ \_____ \/ __ \/ | | \ _ \  
/ /_\ \\__ \ / ____/\____ / | |_/ /_\ \  
\ \_/ \/ __ \_/ \ / / ^ /\ \_/ \  
\_____ (____ /\_______ \ /____/\____ | \_____ /  
\/ \/ \/ |__| \/  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
  
0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure  
vulnerability [0day]  
  
Author: 0a29406d9794e4f9b30b3c5d6702c708  
  
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940  
  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
Description:  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
  
EasyDA by NCCGroup uses /tmp in an insecure manner.  
1) Domain Admin credentials can be obtained by a low-privileged user  
2) A low-privileged user can escalate to the user which runs EasyDA  
  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
Timeline:  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
  
22 June 2013 - Reported  
24 June 2013 - Acknowledged  
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus  
(plugin)  
20 March 2014 - 0a2940 remembers about EasyDa......  
02 April 2014 - Published (with extra-special ascii :-))  
  
  
NCCGroups's vuln in nessus:  
https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf  
NCCGroup's software:  
https://github.com/nccgroup/easyda  
  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
Details:  
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.  
  
Many problems  
e.g.  
cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt  
  
cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt  
  
paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt  
  
etc.  
  
More info:  
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories  
  
  
`