| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALX_EUTL3Vec-NBZfdw4CbJWRV=mE4icqb3hFPVUdjoa2UxTew@mail.gmail.com>
Date: Wed, 2 Apr 2014 22:04:20 +0100
From: 0a29 40 <0a2940@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] 0A29-14-1 : NCCGroup EasyDA privilege escalation & credential
disclosure vulnerability [0day]
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
_______ ________ ________ _____ _______
\ _ \ _____ \_____ \/ __ \/ | | \ _ \
/ /_\ \\__ \ / ____/\____ / | |_/ /_\ \
\ \_/ \/ __ \_/ \ / / ^ /\ \_/ \
\_____ (____ /\_______ \ /____/\____ | \_____ /
\/ \/ \/ |__| \/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure
vulnerability [0day]
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
EasyDA by NCCGroup uses /tmp in an insecure manner.
1) Domain Admin credentials can be obtained by a low-privileged user
2) A low-privileged user can escalate to the user which runs EasyDA
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Timeline:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
22 June 2013 - Reported
24 June 2013 - Acknowledged
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus
(plugin)
20 March 2014 - 0a2940 remembers about EasyDa......
02 April 2014 - Published (with extra-special ascii :-))
NCCGroups's vuln in nessus:
https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf
NCCGroup's software:
https://github.com/nccgroup/easyda
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Details:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Many problems
e.g.
cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt
cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt
paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt
etc.
More info:
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists