~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. _______ ________ ________ _____ _______ \ _ \ _____ \_____ \/ __ \/ | | \ _ \ / /_\ \\__ \ / ____/\____ / | |_/ /_\ \ \ \_/ \/ __ \_/ \ / / ^ /\ \_/ \ \_____ (____ /\_______ \ /____/\____ | \_____ / \/ \/ \/ |__| \/ ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. 0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day] Author: 0a29406d9794e4f9b30b3c5d6702c708 twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940 ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Description: ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. EasyDA by NCCGroup uses /tmp in an insecure manner. 1) Domain Admin credentials can be obtained by a low-privileged user 2) A low-privileged user can escalate to the user which runs EasyDA ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Timeline: ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. 22 June 2013 - Reported 24 June 2013 - Acknowledged 20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus (plugin) 20 March 2014 - 0a2940 remembers about EasyDa...... 02 April 2014 - Published (with extra-special ascii :-)) NCCGroups's vuln in nessus: https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf NCCGroup's software: https://github.com/nccgroup/easyda ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Details: ~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~. Many problems e.g. cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt etc. More info: https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories