Overland Guardian OS CLI command line bug - let you get uid 0 shell

2010-01-13 / 2010-01-14

Credit: trompele

Risk: High

Local: Yes

Remote: No

CVE: CVE-2009-4607

CWE: CWE-264

CVSS Base Score: 7.2/10

Impact Subscore: 10/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Device: Snap Server 410
OS: GuardianOS 5.1.041
Description: When logged in to CLI via ssh as admin (uid=1) you can escalate your privileges to uid 0 and get /bin/sh. In order to achieve this open 'less' which is available as default for viewing files (ie. less /tmp/top.log) and type in '!/bin/sh'. This will give you direct access to sh shell with UID 0. Tested only on OS version as above.

References:

http://xforce.iss.net/xforce/xfdb/53881

http://www.securityfocus.com/bid/36739

http://www.securityfocus.com/archive/1/archive/1/507318/100/0/threaded

http://www.juniper.net/security/auto/vulnerabilities/vuln36739.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Overland Guardian OS CLI command line bug - let you get uid 0 shell

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.