SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#433821

DISA UNIX SRR scripts execute untrusted programs as root

Overview

The Defense Information Systems Agency (DISA) UNIX Security Readiness Review (SRR) scripts find(1) and execute (-exec) various programs to obtain version information. The SRR scripts are designed to be run as root. An attacker who can write a file under the root file system may be able to exploit this vulnerability to execute arbitrary code with root privileges.

I. Description

DISA provides SRR scripts to help perform security reviews of various operating systems and applications. The UNIX SRR scripts check versions of various programs by searching the root file system and executing programs with options to display version information. The scripts generally use find(1) with the -exec expression primary. The scripts execute programs based on file name. If an attacker can place a file with an appropriate name on the file system, that file will be executed by the SRR script. The SRR scripts are designed to be run with root privileges.

II. Impact

An attacker who is able to write a file under the root file system (most likely, but not necessarily a local user) can execute arbitrary code with root privileges.

III. Solution

The DISA Field Security Office (FSO) is reviewing the UNIX SRR scripts and preparing changes to address these issues.

Modify SRR scripts

Given sufficient understanding of the SRR scripts, it is possible to modify them to skip the program execution steps or change to a less privileged user before executing the programs.

Determine version information safely

Take care when executing programs as root, to determine version information or for any other reason.

  • Determine version information passively, for instance, by checking file properties.
  • Execute programs with version options using a non-privileged account.
  • Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.

Systems Affected
VendorStatusDate NotifiedDate Updated
DISA Field Security Office (FSO)Vulnerable2009-12-09

References

http://www.securityfocus.com/archive/1/508188/100/0/threaded
http://www.securityfocus.com/archive/1/508332/100/0/threaded
http://iase.disa.mil/stigs/SRR/unix.html
http://iase.disa.mil/stigs/
http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf

Credit

Thanks to Frank Stuart for reporting these issues and working with DISA FSO.

This document was written by Art Manion.

Other Information

Date Public:2009-12-03
Date First Published:2009-12-09
Date Last Updated:2009-12-09
CERT Advisory: 
CVE-ID(s):CVE-2009-4211
NVD-ID(s):CVE-2009-4211
US-CERT Technical Alerts: 
Severity Metric:4.63
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader