lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 13 Feb 2009 00:43:40 +0100
From: Sam Johnston <samj@...j.net>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Enomaly ECP/Enomalism: Silent update remote command execution 
	vulnerability

Enomaly ECP/Enomalism: Silent update remote command execution vulnerability

Synopsis

All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism
that could allow a remote attacker to execute arbitrary code as root.

Background

Enomaly ECP (formerly Enomalism) is management software for virtual machines.

Description

Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the main Enomaly ECP daemon (enomalism2d)
includes an undocumented silent update mechanism that insecurely downloads and
executes code from Enomaly's corporate web server.

Enomaly ECP silently attempts to receive and forcibly install unsigned python
modules over HTTP from http://enomaly.com/fileadmin/eggs/ (currently exception
drivemounter, and phone_home) when encountering any error loading any module.
This allows for remote, privileged exploitation without any user intervention.

Impact

Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it is possible to execute arbitrary
commands as the root user on any server requesting an update. An attacker may
also be able to trigger the update mechanism by inducing any condition where
modules fail to load, e.g. exhausting memory by making many web requests.

Workaround

Resolve enomaly.com to 127.0.0.1 in affected servers' hosts files.

Resolution

There is no resolution at this time as the feature cannot be disabled. Vendor
claims that the vulnerability is by design and has no plans to release a fix.

History

2009-02-09 Bug initially reported to Enomaly by mail
2009-02-09 CVE requested from Mitre; TBA
2009-02-10 Product Development Manager acknowledged receipt:
"This is by design, it's a method to allow modules to be downloaded and
installed as needed. It's a recovery mechanism for borked installs (which
happen quite frequently with easy_install).  None of this stuff is exploitable
or malicious under any normal circumstances."
2009-02-12 Publication of vulnerability

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ