Sun IDM Arbitrary Command Execution

`1) Summary  
  
Affected Software: Sun IDM 7.1, 8.0  
Vendor URL: http://www.sun.com/  
Severity: Medium  
  
2) Description  
  
Sun Identity Manager facilitates centralized identity provisioning for  
variety of application and platforms. Its web interface allows end users  
to request password change. To handle such requests the system has to  
manipulate account databases on the target resources. In the case of  
*NIX-based systems the management server remotely logs in to a target  
server and issues a series of shell command, using send-expect technique.  
  
The system allows users to submit passwords containing control  
characters including new line (ASCII 0x0A). The implementation of  
send-expect mechanism fails to handle such passwords correctly. This  
flaw allows an unprivileged Sun IDM user to execute an arbitrary UNIX  
shell command by requesting a password to be changed to a specially  
crafted value. The injected command will be executed with root  
privileges on all UNIX systems the user is provisioned on.  
  
3) Details  
  
The attack is enabled by two factors:  
  
1. New line character (ASCII 0x0A) is allowed in user passwords  
2. *NIX connectors utilize send-expect technique to interact  
with 'passwd' program, but fails to handle passwords  
containing new line characters.  
  
In the process of changing the user password to a value containing a  
newline the interaction between the IDM connector and UNIX shell goes  
out of sync and the password gets executed by UNIX shell running as root.  
  
To reproduce, request a password change for a user provisioned on some  
Solaris server. The password has to consist of a UNIX shell command to  
be executed repeated twice and separated by the new line character. One  
way of doing it is to use an intercepting web proxy (such as Webscarab)  
to modify HTTP message carrying the password change request. For  
example, to inject 'id > /x' command, the modified request will look as  
following:  
  
POST /idm/user/changePassword.jsp?lang=en&cntry=US HTTP/1.1  
id=***&command=Save&activeControl=&resourceAccounts.selectAll=true&  
  
resourceAccounts.password=id>/x%0aid>/x&resourceAccounts.confirmPassword=id>/x%0aid>/x  
  
  
In the request above the values of resourceAccounts.password and  
resourceAccounts.confirmPassword parameters contain %0a, which is  
URL-encoding for the new line character. After the request is submitted,  
/x file will appear on resources the user is provisioned at:  
  
# ls -l /x  
-rw-r--r-- 1 root root 24 Dec 22 15:52 /x  
# cat /x  
uid=0(root) gid=0(root)  
  
4) Solution  
  
This vulnerability is addressed by security patches released by the  
vendor. Sun Alert document #253267  
(http://sunsolve.sun.com/search/document.do?assetkey=1-26-253267-)  
contains information about suitable patches.  
  
5) Workaround  
  
The password policy can be used to prohibit new line characters in  
passwords. This can be done by editing the password policy object  
through the debugging interface of IDM, the relevant portion of the  
object should look as follows:  
  
<Attribute name='Must Not Contain Words'>  
<List>  
<String>&#xA;</String>  
</List>  
</Attribute>  
  
The workaround is somewhat fragile, it must be re-applied each time  
after the password policy gets edited via GUI, because GUI drops the new  
line character from the rule.  
  
6) Time Table  
  
2008/12/24 The vendor was informed  
2009/01/14 The vendor has confirmed the problem  
2009/03/23 Sun Security Alert #253267 was published  
2009/05/12 Scanit Advisory was published  
  
7) Additional Information  
  
The original advisory can be found here:  
http://www.scanit.be/advisory-2005-05-12.html  
  
8) About Scanit  
  
Scanit is a security company located in Brussels, Belgium. We specialize  
in security assessments, offering services such as penetration tests,  
application source code reviews, and risk assessments. More information  
can be found at http://www.scanit.be/  
  
--   
Alexandre Bezroutchko  
`