[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [FD] CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation
- From: Gregory Pickett <gpickett71@xxxxxxxxx>
- Date: Tue, 11 Aug 2015 16:19:32 +0000 (UTC)
Title
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to
Local Privilege Escalation
Summary
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable
to local privilege escalation via Command Injection. Cumulus Linux’s
clcmd_server, when receiving commands that end in user supplied labels, will
execute any other command appended to the end of it whether it is in the
Rosetta or not. And it will do so using its own running credentials which are
root.
Affected Products
===================
Cumlus Linux 2.5.3 and Earlier
CVE
===================
CVE-2015-5699
Details
===================
Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable
to local privilege escalation via Command Injection. Cumulus Linux’s
clcmd_server, when receiving commands that end in user supplied labels, will
execute any other command appended to the end of it whether it is in the
Rosetta or not. This is because it stops checking the command against the
Rosetta when it gets to the label. The label, meta-characters and all, are
then passed to the shell for execution. And since clmd_server runs as root it
executes both the authorized and the unauthorized command one after the other
as root. It is important to note that the second command must begin with a
single quote to terminate the command before it and ended with a single quote
to close it.
The only limitation to the injection is that it will not work with spaces in
the second command. This is because clcmd_server parses the command arguments
with spaces. If you put any spaces in your second command, it will see the
label as one more command, and fail the operation because it doesn't recognize
it. This can easily be overcome by writing a script in your home directory and
then calling the script as the second command.
The most potent use of this is a script that creates a root equivalent account.
This would allow you, after injection, to su to root-level privileges and take
over the system. Since anyone on the system can gain root through this
vulnerability, it is considered high impact.
Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.
Step 1:
Create the following script in your home directory:
useradd hacker -p $(perl -e'print crypt("hacker", "aa")') -m
echo 'hacker ALL=(ALL:ALL) ALL' | tee --append /etc/sudoers > /dev/null
Step 2:
sudo cl-rctl "ip nht set ospf route-map long';/home/lab/script.sh'"
Step 3:
su hacker
Notes:
1. clcmd_server is started by root
2. The user lab was sudo-limited to cl-rctl only
Impact
===================
Unauthorized access. Elevation to root privileges and from there full control
of the system.
Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/