BugTraq
0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day] Apr 02 2014 09:19PM
0a29 40 (0a2940 gmail com)
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.
_______ ________ ________ _____ _______
\ _ \ _____ \_____ \/ __ \/ | | \ _ / /_\ \\__ \ / ____/\____ / | |_/ /_\ \ \_/ \/ __ \_/ \ / / ^ /\ \_/ \_____ (____ /\_______ \ /____/\____ | \_____ /
\/ \/ \/ |__| \/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential
disclosure vulnerability [0day]

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.
Description:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.

EasyDA by NCCGroup uses /tmp in an insecure manner.
1) Domain Admin credentials can be obtained by a low-privileged user
2) A low-privileged user can escalate to the user which runs EasyDA

https://github.com/nccgroup/easyda

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.
Timeline:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.

22 June 2013 - Reported
24 June 2013 - Acknowledged
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus (plugin)
28 March 2014 - Published (with extra-special ascii)

https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus
-authenticated-scan-local-privilege-escalation.pdf

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.
Details:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
~.~.

Many problems
e.g.
cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt

cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt

paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt

etc.

More info:
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do
+not+create+temporary+files+in+shared+directories

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus