TS-2007-003-0: BlueCat Networks Adonis CLI root privilege escalation

2007.08.20
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Template Security Security Advisory ----------------------------------- BlueCat Networks Adonis CLI root privilege escalation Date: 2007-08-16 Advisory ID: TS-2007-003-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents -------- Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary ------- Template Security has discovered a root privilege escalation vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance which allows the admin user to gain root privilege from the Command Line Interface (CLI). Software Version ---------------- Adonis version 5.0.2.8 was tested. Details ------- The admin account on the Adonis DNS/DHCP appliance provides access to a CLI that allows an administrator to perform tasks such as setting the IP address, netmask, system time and system hostname. By entering a certain command sequence, the administrator is able to execute a command as root. Impact ------ Access to the admin account is the same as root access on the appliance. Exploit ------- Here we use the 'set host-name' CLI command to execute a root shell: :adonis>set host-name ;bash adonis.katter.org root@adonis:~# id uid=0(root) gid=0(root) groups=0(root) NOTE: There may be other command sequences that accomplish the same result. Workarounds ----------- Only provide admin account access to administrators that also have root account access on the appliance. Obtaining Patched Software -------------------------- Contact the vendor. Credits ------- forloop discovered this vulnerability while enjoying a Tuborg Gold. forloop is a member of Template Security. Revision History ---------------- 2007-08-16: Revision 0 released


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top