search menu icon-carat-right cmu-wordmark

CERT Coordination Center

eEye Retina audit script could execute untrusted programs as root

Vulnerability Note VU#448051

Original Release Date: 2011-11-08 | Last Revised: 2011-11-09

Overview

eEye Retina audit scripts have the capability to run remote shell scripts in order to determine vulnerable applications. One audit script in particular (audit ID 2499) uses find(1) and execute (-exec) when assessing a vulnerability within Gauntlet Firewall. An attacker who can write an executable file in the portion of the file system searched with the find command may be able to exploit this vulnerability to execute arbitrary code with the same privileges provided to Retina to perform a vulnerability scan.

Description

The eEye Retina Network Security Scanner software executes various audits against target systems to conduct security vulnerability assessment testing. eEye provides audit scripts to help perform security reviews of various

operating systems and applications. One audit script for Solaris, HP-UX, and IRIX systems (audit ID 2499) checks the program version by searching the /usr/local portion of the file system and executing a file with options to display version information. The script executes a program based on file name. If an attacker can place an executable file with an appropriate name in /usr/local, that file will be executed by the audit script.

Reported vulnerable audit script:
Audit ID (2499) tests for the version of Gauntlet Firewall software installed under /usr/local on Solaris, HP-UX, and IRIX target machines with the following line of UNIX shell script: find /usr/local -name gauntlet -exec {} -v \

eEye recommends using unprivileged accounts when scanning hosts with the Retina product. However, the option does exist for user of Retina to provide a root credential to perform scans. In addition eEye provides documentation with warnings on how to run scans with sudo.

Impact

An attacker who is able to write an executable file under the /usr/local file system (most likely, but not necessarily a local user) can execute arbitrary code with the same privileges provided to Retina to perform the vulnerability scan.

Solution

Update

The vendor has reported that this vulnerability has been fixed in audits revision 2424, released on 10/3/2011.


eEye Retina recommends the following workarounds:

    • Do not allow unprivileged users write access to /usr/local and its subdirectories on Solaris, HP-UX, and IRIX systems.
    • Remove audit 2499 from the scan policy.
    • Perform vulnerability scans with unprivileged (non-root) user accounts.
Determine version information safely

Take care when executing programs as root, to determine version information or for any other reason.
    • Determine version information passively, for instance, by checking file properties.
    • Execute programs with version options using a non-privileged account.
    • Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.

Vendor Information

448051
 

eEye Affected

Notified:  September 30, 2011 Updated: November 09, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Fixed in audits revision 2424. Released 10/3/2011.

Vendor References


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2011-3337
Severity Metric: 0.13
Date Public: 2011-11-08
Date First Published: 2011-11-08
Date Last Updated: 2011-11-09 20:39 UTC
Document Revision: 26

Sponsored by CISA.