Fluentd TD-agent 4.0.1 Insecure Folder Permission

2021.01.05
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-732


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission # Date: 21.12.2020 # Exploit Author: Adrian Bondocea # Vendor Homepage: https://www.fluentd.org/ # Software Link: https://td-agent-package-browser.herokuapp.com/4/windows # Version: <v4.0.1 # Tested on: Windows 10 x64 # CVE : CVE-2020-28169 # External URL: https://github.com/zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169 Description: The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM. Vulnerable Path: ( Authenticated Users have permission to write within the location ) PS C:\opt\td-agent\bin> icacls C:\opt\td-agent\bin C:\opt\td-agent\bin BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) Successfully processed 1 files; Failed processing 0 files Vulnerable service: PS C:\opt\td-agent\bin> get-service fluentdwinsvc Status Name DisplayName ------ ---- ----------- Running fluentdwinsvc Fluentd Windows Service Service Path: "C:/opt/td-agent/bin/ruby.exe" -C t"C:/opt/td-agent/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/command/.." winsvc.rb --service-name fluentdwinsvc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top