Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability

2013.11.22

Credit: steve jobs

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product.
It could be exploit to get root in the kernel 2.6.18-164.15.1.el5.imp4 which was built by imperva in 9.5 patch 8 and
10.0 patch 2.
I hope imperva could upgrade your OS to centos 5.9 with kernel 2.6.18-348 to keep your system secure.
Your can check the attachment for details.
[test95p8 () GFWAF ~]$ uname -a
Linux GFWAF 2.6.18-164.15.1.el5.imp4 #1 SMP Mon Apr 8 15:29:20 IDT 2013 x86_64 x86_64 x86_64 GNU/Linux
[test95p8 () GFWAF ~]$ cat /etc/redhat-release
Imperva release 5.4 (Final)
[test95p8 () GFWAF ~]$ wc -l /etc/shadow
wc: /etc/shadow: Permission denied
[test95p8 () GFWAF ~]$ id
uid=505(test95p8) gid=507(test95p8) groups=507(test95p8)
[test95p8 () GFWAF ~]$ ./centos54_localroot_exp
########snip##############
sh-3.2# id
uid=0(root) gid=507(test95p8) groups=507(test95p8)
sh-3.2# wc -l /etc/shadow
40 /etc/shadow
sh-3.2#
[root () WAF ~]# impctl platform show 2> /dev/null | grep version
version 10.0.0.2_0
[root () WAF ~]# uname -a
Linux WAF 2.6.18-164.15.1.el5.imp4 #1 SMP Mon Apr 8 15:29:20 IDT 2013 x86_64 x86_64 x86_64 GNU/Linux
[root () WAF ~]# cat /etc/redhat-release
Imperva release 5.4 (Final)

References:

http://seclists.org/fulldisclosure/2013/Nov/162

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.