Cisco Unified Communications Manager Privilege Escalation

2010-11-05T00:00:00
ID PACKETSTORM:95550
Type packetstorm
Reporter Knud
Modified 2010-11-05T00:00:00

Description

                                        
                                            ` nSense Vulnerability Research Security Advisory NSENSE-2010-003  
---------------------------------------------------------------  
  
Affected Vendor: Cisco Systems, Inc  
Affected Product: Cisco Unified Communications Manager  
Platform: All  
Impact: Privilege Escalation  
Vendor response: Patch. IntelliShield ID 21656  
CVE: CVE-2010-3039  
Credit: Knud / nSense  
  
Technical details  
---------------------------------------------------------------  
  
Cisco Unified Communications Manager contains a setuid binary  
which fails to validate command line arguments. A local user  
can leverage this vulnerability to gain root access by  
supplying suitable arguments to the binary.  
  
The application also contains unsafe function calls, such as  
sprintf().  
  
Proof of concept:  
/usr/local/cm/bin/pktCap_protectData -i";id"  
  
Timeline:  
Aug 21st Contacted vendor PSIRT  
Aug 23rd Vendor response. Vulnerability acknowledged  
Aug 23rd More information sent to vendor  
Sep 2nd Status update request sent to vendor  
Sep 2nd Vendor response  
Sep 3rd Vendor response. More information provided.  
Sep 22nd Status update request sent to vendor  
Sep 22nd Vendor response  
Sep 23rd Vendor response. New release date suggested  
Sep 23rd Agreed to the October 20th release date  
Sep 23rd Vendor response  
Oct 6th Requested schedule information from vendor  
Oct 6th Vendor response. New release date suggested  
Oct 6th Sent counterproposal to vendor  
Oct 6th Vendor response. Requested Wednesday release  
Oct 7th Agreed to the new release date  
Oct 7th Vendor response  
Nov 3rd Vendor confirms release and sends link  
Nov 5th Advisory published  
  
A thank you to Matthew Cerha / Cisco PSIRT for the coordination  
effort.  
  
"Remember, remember the Fifth of November"  
  
Links:  
http://tools.cisco.com/security/center/viewAlert.x?alertId=21656  
  
http://www.nsense.fi http://www.nsense.dk  
  
  
  
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.  
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$  
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$  
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$  
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P  
  
D r i v e n b y t h e c h a l l e n g e _  
  
`