Информационная безопасность
[RU] switch to English

Дополнительная информация

  Обратный путь в каталогах TFTP в Adonis (privilege escalation)

From:anonymous.c7ffa4057a_(at)_anonymousspeech.com <anonymous.c7ffa4057a_(at)_anonymousspeech.com>
Date:7 августа 2007 г.
Subject:TS-2007-002-0: BlueCat Networks Adonis root Privilege Access

Template Security Security Advisory

 BlueCat Networks Adonis root Privilege Access

 Date: 2007-08-06
 Advisory ID: TS-2007-002-0
 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
 Revision: 0


 Software Version
 Obtaining Patched Software
 Revision History


 Template Security has discovered a serious user input
 validation vulnerability in the BlueCat Networks Proteus IPAM
 appliance.  Proteus can be used to upload files to managed
 Adonis appliances to be downloadable by TFTP from the
 appliance.  A Proteus administrator with privilege to add TFTP
 files and perform TFTP deployments can overwrite existing files
 and create new files as root on the Adonis DNS/DHCP appliance.
 This can be used for example to overwrite the system password
 database and change the root account password.

Software Version

 Proteus version and Adonis version were tested.


 Proteus allows TFTP files to be named by an administrator, and
 there is no data validation performed for user input such as
 relative paths.  Files are supposed to be copied only to the
 /tftpboot/ directory, and the file copy is performed with root
 privilege.  This means for example that a file named
 "../etc/shadow" will overwrite the shadow password database


 Successful exploitation of the vulnerability will result in
 root access on the Adonis appliance.


 0) Create a new TFTP Group in a Proteus configuration.

 1) Add a TFTP deployment role specifying an Adonis appliance to
    the group.

 2) At the top-level folder in the new TFTP group, add a file
    named "../etc/shadow" (without the quotes) and load a file
    containing the following line:

    NOTE: The sshd configuration uses the default setting
    'PermitEmptyPasswords no', so we specify a password of

 3) Deploy the configuration to the Adonis appliance.

 4) You can now login to the Adonis appliance as root with
    password bluecat.

    $ ssh [email protected]
    [email protected]'s password:
    # cat /etc/shadow

    NOTE: This example assumes SSH is enabled, iptables permits
    port tcp/22, etc.

 Many attack variations are possible, such as changing system
 startup scripts to modify the iptables configuration on the


 The attack can be prevented by creating an access right
 override at the configuration level to disable TFTP access for
 each administrator.

Obtaining Patched Software

 Contact the vendor.


 defaultroute discovered this vulnerability while performing a
 security review of the Proteus IPAM appliance (a discovery
 fueled by Red Bull and techno).  defaultroute is a member of
 Template Security.

Revision History

 2007-08-06: Revision 0 released

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород