lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <364734824.6597658.1439929286629.JavaMail.yahoo@mail.yahoo.com>
Date: Tue, 18 Aug 2015 20:21:26 +0000 (UTC)
From: Gregory Pickett <gpickett71@...oo.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend,
 clcmd_server, Vulnerable to Local Privilege Escalation

Title
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation

Summary
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection.  Cumulus Linux’s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not.  And it will do so using its own running credentials which are root.

Affected Products
===================
Cumlus Linux 2.5.3 and Earlier 

CVE
===================
CVE-2015-5699

Details
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection.  Cumulus Linux’s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not.  This is because it stops checking the command against the Rosetta when it gets to the label.  The label, meta-characters and all, are then passed to the shell for execution.  And since clmd_server runs as root it executes both the authorized and the unauthorized command one after the other as root.  It is important to note that the second command must begin with a single quote to terminate the command before it and ended with a single quote to close it.

The only limitation to the injection is that it will not work with spaces in the second command.  This is because clcmd_server parses the command arguments with spaces.  If you put any spaces in your second command, it will see the label as one more command, and fail the operation because it doesn't recognize it.  This can easily be overcome by writing a script in your home directory and then calling the script as the second command.  

The most potent use of this is a script that creates a root equivalent account.  This would allow you, after injection, to su to root-level privileges and take over the system.  Since anyone on the system can gain root through this vulnerability, it is considered high impact.

Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.

Step 1: 
Create the following script in your home directory:

  useradd hacker -p $(perl -e'print crypt("hacker", "aa")') -m
  echo 'hacker ALL=(ALL:ALL) ALL' | tee --append /etc/sudoers > /dev/null


Step 2: 
sudo cl-rctl "ip nht set ospf route-map long';/home/lab/script.sh'"

Step 3: 
su hacker

Notes: 
1.  clcmd_server is started by root
2.  The user lab was sudo-limited to cl-rctl only

Impact
===================
Unauthorized access.  Elevation to root privileges and from there full control of the system.

Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ