Arbitrary Command Execution in DataDomain Administrator Interface

2007.04.05
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

SUMMARY ======= An arbitrary command execution vulnerability exists in the command line administration interface of the software used by DataDomain appliances. An attacker who is able to access the administration interface could exploit this vulnerability to install malicious software and use the DataDomain appliance as a base from which to launch attacks on other systems. AFFECTED SOFTWARE ================= * Data Domain OS 3.0.0 through 4.0.3.5 * Possibly Data Domain OS 2.x and earlier UNAFFECTED ========== * Data Domain OS 4.0.3.6 and later IMPACT ====== An attacker who is able to access the administration interface could install malicious software and use the DataDomain appliance as a base from which to launch attacks on other systems. Because its owners may not view the DataDomain applicance as a general-purpose device, they may not suspect that it might be compromised. In that way the attacker might evade detection, even if other compromised systems are discovered and quarantined. DETAILS ======= Several of the commands presents in the DataDomain administrative are very simple wrappers around UNIX commands, including ping, ifconfig, date, netstat, uptime, etc. In several cases, the arguments to these commands are not sufficiently validated before they are passed to the UNIX shell for execution. By using specially crafted arguments, and attacker could inject shell special characters into the shell command line, leading to execution of arbitrary programs. SOLUTION ======== Upgrade to DataDomain OS 4.0.3.6 or later EXPLOIT ======= These command lines will launch an interactive UNIX shell: ifconfig eth0:;sh ping sh interface eth0:; ACKNOWLEDGMENTS =============== Thanks to DataDomain for fixing this issue quickly and their cooperation in the development of this advisory. REVISION HISTORY ================ 2007-03-28 original release -- Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]> Network Security Architect Brandeis University


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top