Data Domain 本地特权提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191134 漏洞类型 输入验证
发布时间 2007-04-02 更新时间 2007-04-06
CVE编号 CVE-2007-1836 CNNVD-ID CNNVD-200704-027
漏洞平台 N/A CVSS评分 9.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-027
|漏洞详情
DataDomainOS的命令行管理界面存在本地特权提升漏洞。远程认证用户可以借助对不同指令的特定参数中的壳元字符,执行任意指令。
|漏洞EXP
SUMMARY
=======

An arbitrary command execution vulnerability exists in the command line
administration interface of the software used by DataDomain appliances.
An attacker who is able to access the administration interface could
exploit this vulnerability to install malicious software and use the
DataDomain appliance as a base from which to launch attacks on other
systems.

AFFECTED SOFTWARE
=================

* Data Domain OS 3.0.0 through 4.0.3.5

* Possibly Data Domain OS 2.x and earlier

UNAFFECTED
==========

* Data Domain OS 4.0.3.6 and later

IMPACT
======

An attacker who is able to access the administration interface could
install malicious software and use the DataDomain appliance as a base
from which to launch attacks on other systems. Because its owners may
not view the DataDomain applicance as a general-purpose device, they
may not suspect that it might be compromised. In that way the attacker
might evade detection, even if other compromised systems are discovered
and quarantined.

DETAILS
=======

Several of the commands presents in the DataDomain administrative are
very simple wrappers around UNIX commands, including ping, ifconfig,
date, netstat, uptime, etc. In several cases, the arguments to these
commands are not sufficiently validated before they are passed to the
UNIX shell for execution. By using specially crafted arguments, and
attacker could inject shell special characters into the shell command
line, leading to execution of arbitrary programs.

SOLUTION
========

Upgrade to DataDomain OS 4.0.3.6 or later

EXPLOIT
=======

These command lines will launch an interactive UNIX shell:

ifconfig eth0:;sh
ping sh interface eth0:;

ACKNOWLEDGMENTS
===============

Thanks to DataDomain for fixing this issue quickly and their
cooperation in the development of this advisory.

REVISION HISTORY
================

2007-03-28  original release

-- 
Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]>
Network Security Architect
Brandeis University
|参考资料

来源:BUGTRAQ
名称:20070328ArbitraryCommandExecutioninDataDomainAdministratorInterface
链接:http://www.securityfocus.com/archive/1/archive/1/464085/100/0/threaded
来源:BID
名称:23182
链接:http://www.securityfocus.com/bid/23182
来源:OSVDB
名称:34537
链接:http://osvdb.org/34537
来源:SREASON
名称:2516
链接:http://securityreason.com/securityalert/2516
来源:SECUNIA
名称:24666
链接:http://secunia.com/advisories/24666