Home page logo
/

bugtraq logo Bugtraq mailing list archives

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day]
From: 0a29 40 <0a2940 () gmail com>
Date: Wed, 2 Apr 2014 22:19:17 +0100

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
_______          ________  ________  _____  _______
\   _  \ _____   \_____  \/   __   \/  |  | \   _  \
/  /_\  \\__  \   /  ____/\____    /   |  |_/  /_\  \
\  \_/   \/ __ \_/       \   /    /    ^   /\  \_/   \
 \_____  (____  /\_______ \ /____/\____   |  \_____  /
       \/     \/         \/            |__|        \/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

0A29-14-1 : NCCGroup EasyDA privilege escalation & credential
disclosure vulnerability [0day]

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

EasyDA by NCCGroup uses /tmp in an insecure manner.
1) Domain Admin credentials can be obtained by a low-privileged user
2) A low-privileged user can escalate to the user which runs EasyDA

https://github.com/nccgroup/easyda

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Timeline:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

22 June  2013 - Reported
24 June  2013 - Acknowledged
20 March 2014 - NCCGroup publish an insecure temp priv-esc in Nessus (plugin)
28 March 2014 - Published (with extra-special ascii)

https://www.nccgroup.com/media/481256/ncc00643-technical-advisory-nessus-authenticated-scan-local-privilege-escalation.pdf

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Details:
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.

Many problems
e.g.
      cat "$HASHFILE" |cut -d ":" -f 1 >/tmp/user.txt

      cat "$HASHFILE" |cut -d ":" -f 3,4 >/tmp/pass.txt

      paste /tmp/user.txt /tmp/pass.txt >/tmp/userpass.txt

etc.

More info:
https://www.securecoding.cert.org/confluence/display/seccode/FIO21-C.+Do+not+create+temporary+files+in+shared+directories


  By Date           By Thread  

Current thread:
  • 0A29-14-1 : NCCGroup EasyDA privilege escalation & credential disclosure vulnerability [0day] 0a29 40 (Apr 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]