lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 25 Apr 2011 20:47:19 -0400
From: Nathan Power <np@...uritypentest.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Trustwave WebDefend Privilege Escalation
	Vulnerability

------------------------------------------------------------------
1. Summary:

A privilege escalation vulnerability has been identified in Trustwave's
WebDefend Enterprise product.  It is possible for the restricted operator
account to gain access as root on the appliance.

------------------------------------------------------------------
2. Description:

The operator account 'bgoperator' is used to perform system maintenance
functions.  This account accesses the appliance via ssh. It is important to
note that the operator account has a default password that has been provided
in the 'Getting Started' manual.

The operator account has a menu driven shell that does not allow the user to
input system commands.

---------
Main Menu
---------
1 -- Online Menu
2 -- Offline Menu
3 -- System Menu
? -- Help

The shell path for this account is located at:
'/usr/local/opt/breach/bin/start_bgadmin_cli'

Which is a script calling another script using the following line:
'sudo -u root /opt/breach/bwd/bin/bgadmin_cli'

You can see above, the second script is being executed as root!

When viewing log files the shell uses the 'more' command.  When using
'more', pressing 'v', will start the file in 'vi' text editor.  From 'vi' it
is possible to read and write to any file on the system as root.  By
modifying the operator account's login script we are able to gain access to
a root shell.

Below is a POC video demonstrating the attack:
http://www.securitypentest.com/2011/04/webdefend-privilege-escalation-poc.html

------------------------------------------------------------------
3. Impact:

Total system compromise to the appliance

------------------------------------------------------------------
4. Affected Products:

WebDefend Enterprise Manager Appliance version 5.0 and prior

------------------------------------------------------------------
5. Solution:  None

------------------------------------------------------------------
6. Time Table:

01/26/2011 Reported Vulnerability to the Vendor

------------------------------------------------------------------
7. Credits:

Discovered by Nathan Power
www.securitypentest.com

------------------------------------------------------------------

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ