SUMMARY ======= An arbitrary command execution vulnerability exists in the command line administration interface of the software used by DataDomain appliances. An attacker who is able to access the administration interface could exploit this vulnerability to install malicious software and use the DataDomain appliance as a base from which to launch attacks on other systems. AFFECTED SOFTWARE ================= * Data Domain OS 3.0.0 through 4.0.3.5 * Possibly Data Domain OS 2.x and earlier UNAFFECTED ========== * Data Domain OS 4.0.3.6 and later IMPACT ====== An attacker who is able to access the administration interface could install malicious software and use the DataDomain appliance as a base from which to launch attacks on other systems. Because its owners may not view the DataDomain applicance as a general-purpose device, they may not suspect that it might be compromised. In that way the attacker might evade detection, even if other compromised systems are discovered and quarantined. DETAILS ======= Several of the commands presents in the DataDomain administrative are very simple wrappers around UNIX commands, including ping, ifconfig, date, netstat, uptime, etc. In several cases, the arguments to these commands are not sufficiently validated before they are passed to the UNIX shell for execution. By using specially crafted arguments, and attacker could inject shell special characters into the shell command line, leading to execution of arbitrary programs. SOLUTION ======== Upgrade to DataDomain OS 4.0.3.6 or later EXPLOIT ======= These command lines will launch an interactive UNIX shell: ifconfig eth0:;sh ping sh interface eth0:; ACKNOWLEDGMENTS =============== Thanks to DataDomain for fixing this issue quickly and their cooperation in the development of this advisory. REVISION HISTORY ================ 2007-03-28 original release -- Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]> Network Security Architect Brandeis University