Executive Summary
Summary | |
---|---|
Title | eEye Retina audit script could execute untrusted programs as root |
Informations | |||
---|---|---|---|
Name | VU#448051 | First vendor Publication | 2011-11-08 |
Vendor | VU-CERT | Last vendor Modification | 2011-11-09 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.9 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#448051eEye Retina audit script could execute untrusted programs as rootOvervieweEye Retina audit scripts have the capability to run remote shell scripts in order to determine vulnerable applications. One audit script in particular (audit ID 2499) uses find(1) and execute (-exec) when assessing a vulnerability within Gauntlet Firewall. An attacker who can write an executable file in the portion of the file system searched with the find command may be able to exploit this vulnerability to execute arbitrary code with the same privileges provided to Retina to perform a vulnerability scan.I. DescriptionThe eEye Retina Network Security Scanner software executes various audits against target systems to conduct security vulnerability assessment testing. eEye provides audit scripts to help perform security reviews of variousoperating systems and applications. One audit script for Solaris, HP-UX, and IRIX systems (audit ID 2499) checks the program version by searching the /usr/local portion of the file system and executing a file with options to display version information. The script executes a program based on file name. If an attacker can place an executable file with an appropriate name in /usr/local, that file will be executed by the audit script. II. ImpactAn attacker who is able to write an executable file under the /usr/local file system (most likely, but not necessarily a local user) can execute arbitrary code with the same privileges provided to Retina to perform the vulnerability scan.III. SolutionUpdate
Take care when executing programs as root, to determine version information or for any other reason.
Vendor Information
Referenceshttp://www.eeye.com/products CreditThanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability. This document was written by Michael Orlando. Other Information
|
Original Source
Url : http://www.kb.cert.org/vuls/id/448051 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 | |
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
76936 | eEye Retina Audit ID 2499 /usr/local Folder File Handling Local Privilege Esc... |