Title: Centrify Deployment Manager v2.1.0.283 /tmp file clobbering vulnerability |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2012-12-03 |
CVE-ID:[CVE-none] |
CWE: |
Download Site: http://www.centrify.com/ |
Vendor: Centrify |
Vendor Notified: 2012-12-03 |
Vendor Contact: info@centrify.com |
Advisory: http://www.vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp.html |
Description: |
Vulnerability: While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput.
I am sure there are more vulnerabilities to be exploited, maybe a local root - but being this is a training class I should probably pay attention.
total 6680
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rw-rw-r-- 1 clyde clyde 188 Dec 3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
[root@engnew-cen tmp]# ls -l
total 6680
-rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
[root@engnew-cen tmp]# ls -l
total 6688
-rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 clyde clyde 132 Dec 3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
[root@engnew-cen tmp]# ls -l
total 6672
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: 88166 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory