[<prev] [next>] [day] [month] [year] [list]
Message-ID: <364734824.6597658.1439929286629.JavaMail.yahoo@mail.yahoo.com>
Date: Tue, 18 Aug 2015 20:21:26 +0000 (UTC)
From: Gregory Pickett <gpickett71@...oo.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend,
clcmd_server, Vulnerable to Local Privilege Escalation
Title
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation
Summary
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection. Cumulus Linux’s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not. And it will do so using its own running credentials which are root.
Affected Products
===================
Cumlus Linux 2.5.3 and Earlier
CVE
===================
CVE-2015-5699
Details
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection. Cumulus Linux’s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not. This is because it stops checking the command against the Rosetta when it gets to the label. The label, meta-characters and all, are then passed to the shell for execution. And since clmd_server runs as root it executes both the authorized and the unauthorized command one after the other as root. It is important to note that the second command must begin with a single quote to terminate the command before it and ended with a single quote to close it.
The only limitation to the injection is that it will not work with spaces in the second command. This is because clcmd_server parses the command arguments with spaces. If you put any spaces in your second command, it will see the label as one more command, and fail the operation because it doesn't recognize it. This can easily be overcome by writing a script in your home directory and then calling the script as the second command.
The most potent use of this is a script that creates a root equivalent account. This would allow you, after injection, to su to root-level privileges and take over the system. Since anyone on the system can gain root through this vulnerability, it is considered high impact.
Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.
Step 1:
Create the following script in your home directory:
useradd hacker -p $(perl -e'print crypt("hacker", "aa")') -m
echo 'hacker ALL=(ALL:ALL) ALL' | tee --append /etc/sudoers > /dev/null
Step 2:
sudo cl-rctl "ip nht set ospf route-map long';/home/lab/script.sh'"
Step 3:
su hacker
Notes:
1. clcmd_server is started by root
2. The user lab was sudo-limited to cl-rctl only
Impact
===================
Unauthorized access. Elevation to root privileges and from there full control of the system.
Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security
Powered by blists - more mailing lists