TS-2007-002-0.txt

2007-08-08T00:00:00
ID PACKETSTORM:58348
Type packetstorm
Reporter Template Security
Modified 2007-08-08T00:00:00

Description

                                        
                                            `Template Security Security Advisory  
-----------------------------------  
  
BlueCat Networks Adonis root Privilege Access  
  
Date: 2007-08-06  
Advisory ID: TS-2007-002-0  
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/  
Revision: 0  
  
Contents  
--------  
  
Summary  
Software Version  
Details  
Impact  
Exploit  
Workarounds  
Obtaining Patched Software  
Credits  
Revision History  
  
Summary  
-------  
  
Template Security has discovered a serious user input  
validation vulnerability in the BlueCat Networks Proteus IPAM  
appliance. Proteus can be used to upload files to managed  
Adonis appliances to be downloadable by TFTP from the  
appliance. A Proteus administrator with privilege to add TFTP  
files and perform TFTP deployments can overwrite existing files  
and create new files as root on the Adonis DNS/DHCP appliance.  
This can be used for example to overwrite the system password  
database and change the root account password.  
  
Software Version  
----------------  
  
Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested.  
  
Details  
-------  
  
Proteus allows TFTP files to be named by an administrator, and  
there is no data validation performed for user input such as  
relative paths. Files are supposed to be copied only to the  
/tftpboot/ directory, and the file copy is performed with root  
privilege. This means for example that a file named  
"../etc/shadow" will overwrite the shadow password database  
"/etc/shadow".  
  
Impact  
------  
  
Successful exploitation of the vulnerability will result in  
root access on the Adonis appliance.  
  
Exploit  
-------  
  
0) Create a new TFTP Group in a Proteus configuration.  
  
1) Add a TFTP deployment role specifying an Adonis appliance to  
the group.  
  
2) At the top-level folder in the new TFTP group, add a file  
named "../etc/shadow" (without the quotes) and load a file  
containing the following line:  
  
root:Im0Zgl8tnEq9Y:13637:0:99999:7:::  
  
NOTE: The sshd configuration uses the default setting  
'PermitEmptyPasswords no', so we specify a password of  
bluecat.  
  
3) Deploy the configuration to the Adonis appliance.  
  
4) You can now login to the Adonis appliance as root with  
password bluecat.  
  
$ ssh root@192.168.1.11  
root@192.168.1.11's password:   
# cat /etc/shadow  
root:Im0Zgl8tnEq9Y:13637:0:99999:7:::  
  
NOTE: This example assumes SSH is enabled, iptables permits  
port tcp/22, etc.  
  
Many attack variations are possible, such as changing system  
startup scripts to modify the iptables configuration on the  
appliance.  
  
Workarounds  
-----------  
  
The attack can be prevented by creating an access right  
override at the configuration level to disable TFTP access for  
each administrator.  
  
Obtaining Patched Software  
--------------------------  
  
Contact the vendor.  
  
Credits  
-------  
  
defaultroute discovered this vulnerability while performing a  
security review of the Proteus IPAM appliance (a discovery  
fueled by Red Bull and techno). defaultroute is a member of  
Template Security.  
  
Revision History  
----------------  
  
2007-08-06: Revision 0 released  
  
  
`