nSense-2010-003: Cisco Unified Communications Manager Nov 05 2010 03:01PM
Henri Lindberg henri+lists (at) nsense (dot) fi [email concealed] (henri+lists nsense fi)
nSense Vulnerability Research Security Advisory NSENSE-2010-003

Affected Vendor: Cisco Systems, Inc
Affected Product: Cisco Unified Communications Manager
Platform: All
Impact: Privilege Escalation
Vendor response: Patch. IntelliShield ID 21656
CVE: CVE-2010-3039
Credit: Knud / nSense

Technical details

Cisco Unified Communications Manager contains a setuid binary
which fails to validate command line arguments. A local user
can leverage this vulnerability to gain root access by
supplying suitable arguments to the binary.

The application also contains unsafe function calls, such as

Proof of concept:
/usr/local/cm/bin/pktCap_protectData -i";id"

Aug 21st Contacted vendor PSIRT
Aug 23rd Vendor response. Vulnerability acknowledged
Aug 23rd More information sent to vendor
Sep 2nd Status update request sent to vendor
Sep 2nd Vendor response
Sep 3rd Vendor response. More information provided.
Sep 22nd Status update request sent to vendor
Sep 22nd Vendor response
Sep 23rd Vendor response. New release date suggested
Sep 23rd Agreed to the October 20th release date
Sep 23rd Vendor response
Oct 6th Requested schedule information from vendor
Oct 6th Vendor response. New release date suggested
Oct 6th Sent counterproposal to vendor
Oct 6th Vendor response. Requested Wednesday release
Oct 7th Agreed to the new release date
Oct 7th Vendor response
Nov 3rd Vendor confirms release and sends link
Nov 5th Advisory published

A thank you to Matthew Cerha / Cisco PSIRT for the coordination

"Remember, remember the Fifth of November"


http://www.nsense.fi http://www.nsense.dk

$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P

D r i v e n b y t h e c h a l l e n g e _

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus