eEye Retina audit scripts have the capability to run remote shell scripts in order to determine vulnerable applications. One audit script in particular (audit ID 2499) uses find(1) and execute (-exec) when assessing a vulnerability within Gauntlet Firewall. An attacker who can write an executable file in the portion of the file system searched with the find command may be able to exploit this vulnerability to execute arbitrary code with the same privileges provided to Retina to perform a vulnerability scan.
The eEye Retina Network Security Scanner software executes various audits against target systems to conduct security vulnerability assessment testing. eEye provides audit scripts to help perform security reviews of various
operating systems and applications. One audit script for Solaris, HP-UX, and IRIX systems (audit ID 2499) checks the program version by searching the /usr/local portion of the file system and executing a file with options to display version information. The script executes a program based on file name. If an attacker can place an executable file with an appropriate name in /usr/local, that file will be executed by the audit script.
An attacker who is able to write an executable file under the /usr/local file system (most likely, but not necessarily a local user) can execute arbitrary code with the same privileges provided to Retina to perform the vulnerability scan.
Take care when executing programs as root, to determine version information or for any other reason.
Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:
|Date Last Updated:
|2011-11-09 20:39 UTC