PDA

Bekijk Volledige Versie : [GIS 2002101601] SkyStream Admin Shell Privilege Escalation.



Global InterSec Research
27/12/02, 19:30
Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID: 2002101601
Changed: 12/27/2002
Author: research@globalintersec.com
Reference: http://www.globalintersec.com/adv/skystream-2002101601.txt

Summary:

SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
multicast router suffers from a vulnerability in its
configuration shell.

Impact:

A remote user may be able to gain access to the configuration
shell of the device via the telnet protocol and escalate user
privileges to those of the root user.

Versions Tested:

1.16
1.17
1.18

Description:

The Edge Media Router client shell is designed to allow a remote
or local (via serial) user to change system settings and view
network statistics, critical to the operation of the device,
without giving up a root shell.

A buffer overflow exists in the routines for reading and validating
user input into the shell. This may be exploited through either the
heap or the stack.

Rather than using the GNU readline library, SkyStream has implemented
their own proprietary shell control routines, which has contributed to
this problem.

Scope for attack:

Although the EMR5000's configuration shell is password protected
over both telnet and the serial console, as with many router
products, systems administrators neglect to change the default
password setting. Assuming this is the case - a remote attacker
would be able to gain root access over the telnet protocol.

Work around:

- Use the EMR5000's administrative web interface to disable the
telnet server daemon.

- Only permit telnet access to the device from trusted subnets.

Credit:

The vulnerabilities disclosed in this advisory were discovered
during routine penetration tests. They were further researched
at Global InterSec's facility.

The research division can be reached at research@globalintersec.com

Vendor Status:

SkyStream Inc. was notified of this problem on Oct 28th 2002.

Although SkyStream informed us that they were looking into"
these issues; no follow up information has been provided to
Global InterSec.

Proof of concept:

This vulnerability has been successfully exploited in controlled conditions.
As you can see from the below example where we overwrite the %lr and %pc
registers (equivalent of %eip and %ebp on X86), SkyStream has left us
plenty of room for our shellcode on the stack.

SkyStream Networks
Edge Media Router
Please login as 'emradmin' for Command-Line Interface

emr5000 login: emradmin
Password:
[emradmin@emr5000] [1052 bytes][%lr]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17118)]
0xdeadbeec in ?? ()
(gdb) i r r0 r12 r27 r28 r29 r30 r31 pc lr
r0 0xdeadbeec -559038735
r12 0x41414141 1094795585
r27 0x41414141 1094795585
r28 0x41414141 1094795585
r29 0x41414141 1094795585
r30 0x41414141 1094795585
r31 0x41414141 1094795585
pc 0xdeadbeec -559038736
lr 0xdeadbeec -559038735
(gdb)

Legal:

This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:

a) No fee is charged.
b) Appropriate credit is given.
c) Distribution of the advisory does not break NDA' s issued by GIS.

(c) Global InterSec LLC 2002