SUMMARY
=======
An arbitrary command execution vulnerability exists in the command line
administration interface of the software used by DataDomain appliances.
An attacker who is able to access the administration interface could
exploit this vulnerability to install malicious software and use the
DataDomain appliance as a base from which to launch attacks on other
systems.
AFFECTED SOFTWARE
=================
* Data Domain OS 3.0.0 through 4.0.3.5
* Possibly Data Domain OS 2.x and earlier
UNAFFECTED
==========
* Data Domain OS 4.0.3.6 and later
IMPACT
======
An attacker who is able to access the administration interface could
install malicious software and use the DataDomain appliance as a base
from which to launch attacks on other systems. Because its owners may
not view the DataDomain applicance as a general-purpose device, they
may not suspect that it might be compromised. In that way the attacker
might evade detection, even if other compromised systems are discovered
and quarantined.
DETAILS
=======
Several of the commands presents in the DataDomain administrative are
very simple wrappers around UNIX commands, including ping, ifconfig,
date, netstat, uptime, etc. In several cases, the arguments to these
commands are not sufficiently validated before they are passed to the
UNIX shell for execution. By using specially crafted arguments, and
attacker could inject shell special characters into the shell command
line, leading to execution of arbitrary programs.
SOLUTION
========
Upgrade to DataDomain OS 4.0.3.6 or later
EXPLOIT
=======
These command lines will launch an interactive UNIX shell:
ifconfig eth0:;sh
ping sh interface eth0:;
ACKNOWLEDGMENTS
===============
Thanks to DataDomain for fixing this issue quickly and their
cooperation in the development of this advisory.
REVISION HISTORY
================
2007-03-28 original release
--
Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]>
Network Security Architect
Brandeis University