Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Trustwave WebDefend Privilege Escalation Vulnerability

From: Nathan Power <np () securitypentest com>
Date: Mon, 25 Apr 2011 20:47:19 -0400
------------------------------------------------------------------
1. Summary:

A privilege escalation vulnerability has been identified in Trustwave's
WebDefend Enterprise product.  It is possible for the restricted operator
account to gain access as root on the appliance.

------------------------------------------------------------------
2. Description:

The operator account 'bgoperator' is used to perform system maintenance
functions.  This account accesses the appliance via ssh. It is important to
note that the operator account has a default password that has been provided
in the 'Getting Started' manual.

The operator account has a menu driven shell that does not allow the user to
input system commands.

---------
Main Menu
---------
1 -- Online Menu
2 -- Offline Menu
3 -- System Menu
? -- Help

The shell path for this account is located at:
'/usr/local/opt/breach/bin/start_bgadmin_cli'

Which is a script calling another script using the following line:
'sudo -u root /opt/breach/bwd/bin/bgadmin_cli'

You can see above, the second script is being executed as root!

When viewing log files the shell uses the 'more' command.  When using
'more', pressing 'v', will start the file in 'vi' text editor.  From 'vi' it
is possible to read and write to any file on the system as root.  By
modifying the operator account's login script we are able to gain access to
a root shell.

Below is a POC video demonstrating the attack:
http://www.securitypentest.com/2011/04/webdefend-privilege-escalation-poc.html

------------------------------------------------------------------
3. Impact:

Total system compromise to the appliance

------------------------------------------------------------------
4. Affected Products:

WebDefend Enterprise Manager Appliance version 5.0 and prior

------------------------------------------------------------------
5. Solution:  None

------------------------------------------------------------------
6. Time Table:

01/26/2011 Reported Vulnerability to the Vendor

------------------------------------------------------------------
7. Credits:

Discovered by Nathan Power
www.securitypentest.com

------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: