Executive Summary

Summary
Title eEye Retina audit script could execute untrusted programs as root
Informations
Name VU#448051 First vendor Publication 2011-11-08
Vendor VU-CERT Last vendor Modification 2011-11-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#448051

eEye Retina audit script could execute untrusted programs as root

Overview

eEye Retina audit scripts have the capability to run remote shell scripts in order to determine vulnerable applications. One audit script in particular (audit ID 2499) uses find(1) and execute (-exec) when assessing a vulnerability within Gauntlet Firewall. An attacker who can write an executable file in the portion of the file system searched with the find command may be able to exploit this vulnerability to execute arbitrary code with the same privileges provided to Retina to perform a vulnerability scan.

I. Description

The eEye Retina Network Security Scanner software executes various audits against target systems to conduct security vulnerability assessment testing. eEye provides audit scripts to help perform security reviews of various

operating systems and applications. One audit script for Solaris, HP-UX, and IRIX systems (audit ID 2499) checks the program version by searching the /usr/local portion of the file system and executing a file with options to display version information. The script executes a program based on file name. If an attacker can place an executable file with an appropriate name in /usr/local, that file will be executed by the audit script.

Reported vulnerable audit script:
Audit ID (2499) tests for the version of Gauntlet Firewall software installed under /usr/local on Solaris, HP-UX, and IRIX target machines with the following line of UNIX shell script: find /usr/local -name gauntlet -exec {} -v \

eEye recommends using unprivileged accounts when scanning hosts with the Retina product. However, the option does exist for user of Retina to provide a root credential to perform scans. In addition eEye provides documentation with warnings on how to run scans with sudo.

II. Impact

An attacker who is able to write an executable file under the /usr/local file system (most likely, but not necessarily a local user) can execute arbitrary code with the same privileges provided to Retina to perform the vulnerability scan.

III. Solution

Update


The vendor has reported that this vulnerability has been fixed in audits revision 2424, released on 10/3/2011.

eEye Retina recommends the following workarounds:

  • Do not allow unprivileged users write access to /usr/local and its subdirectories on Solaris, HP-UX, and IRIX systems.
  • Remove audit 2499 from the scan policy.
  • Perform vulnerability scans with unprivileged (non-root) user accounts.
Determine version information safely

Take care when executing programs as root, to determine version information or for any other reason.
  • Determine version information passively, for instance, by checking file properties.
  • Execute programs with version options using a non-privileged account.
  • Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.

Vendor Information

VendorStatusDate NotifiedDate Updated
eEyeAffected2011-09-302011-11-09

References

http://www.eeye.com/products
http://www.eeye.com/Support/Knowledge-Base/Article.aspx?id=KB000883
http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AL20111108

Credit

Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-11-08
Date First Published:2011-11-08
Date Last Updated:2011-11-09
CERT Advisory: 
CVE-ID(s):CVE-2011-3337
NVD-ID(s):CVE-2011-3337
US-CERT Technical Alerts: 
Severity Metric:0.13
Document Revision:25

Original Source

Url : http://www.kb.cert.org/vuls/id/448051

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
76936 eEye Retina Audit ID 2499 /usr/local Folder File Handling Local Privilege Esc...