lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070328193831.GF22227@groucho.unet.brandeis.edu>
Date: Wed, 28 Mar 2007 15:38:31 -0400
From: Elliot Kendall <ekendall@...ndeis.edu>
To: bugtraq@...urityfocus.com
Subject: Arbitrary Command Execution in DataDomain Administrator Interface

SUMMARY
=======

An arbitrary command execution vulnerability exists in the command line
administration interface of the software used by DataDomain appliances.
An attacker who is able to access the administration interface could
exploit this vulnerability to install malicious software and use the
DataDomain appliance as a base from which to launch attacks on other
systems.


AFFECTED SOFTWARE
=================

* Data Domain OS 3.0.0 through 4.0.3.5

* Possibly Data Domain OS 2.x and earlier

UNAFFECTED
==========

* Data Domain OS 4.0.3.6 and later

IMPACT
======

An attacker who is able to access the administration interface could
install malicious software and use the DataDomain appliance as a base
from which to launch attacks on other systems. Because its owners may
not view the DataDomain applicance as a general-purpose device, they
may not suspect that it might be compromised. In that way the attacker
might evade detection, even if other compromised systems are discovered
and quarantined.

DETAILS
=======

Several of the commands presents in the DataDomain administrative are
very simple wrappers around UNIX commands, including ping, ifconfig,
date, netstat, uptime, etc. In several cases, the arguments to these
commands are not sufficiently validated before they are passed to the
UNIX shell for execution. By using specially crafted arguments, and
attacker could inject shell special characters into the shell command
line, leading to execution of arbitrary programs.

SOLUTION
========

Upgrade to DataDomain OS 4.0.3.6 or later

EXPLOIT
=======

These command lines will launch an interactive UNIX shell:

ifconfig eth0:\;sh
ping sh interface eth0:\;

ACKNOWLEDGMENTS
===============

Thanks to DataDomain for fixing this issue quickly and their
cooperation in the development of this advisory.

REVISION HISTORY
================

2007-03-28  original release

-- 
Elliot Kendall <ekendall@...ndeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2232 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ