|
|
|
|
| |
Credit:
The information has been provided by Aureliano Calvo and Adrian Manrique.
The original article can be found at: http://www.coresecurity.com/content/landesk-csrf-vulnerability
|
| |
Vulnerable Systems:
* LANDesk Management Gateway 4.0-1.48 and older
* LANDesk Management Gateway 4.2-1.8
Immune Systems:
* LANDesk Management Gateway 4.0-1.61
* LANDesk Management Gateway 4.2-1.61
An attacker can remove the firewall and load a kernel module, allowing root access to the appliance. It also can be used as a non-persistent XSS. In order to be able to successfully make the attack, the administrator must be logged in to the appliance with the browser that the attacker uses to make the attack (for instance, exploiting a XSS in a different tab in the browser).
The Landesk web application does not sufficiently verify if a well-formed request was provided by the user who submitted the request. When the web application receives a request to remove a previously generated backup from a client, the request will be processed by 'gsb/BackupRestoreTab.php', which has the following lines:
/-----
19 $cmd = "sudo /subin/backuptool --delete {$_POST['delBackupName']}";
20 exec($cmd);
21 $msg = "Successfully Removed: {$_POST['delBackupName']}
- -----/
Thus, it might be possible for an attacker to trick a client into making an unintentional request to the web server by handcrafting the 'delBackupName' parameter. As a result, an attacker can generate and send an arbitrary command line ('BackupRestoreTab.php:19') that would be executed in the context of the web server ('BackupRestoreTab.php:20').
In order to trigger this vulnerability, a POST request with the following parameters must be made to 'gsb/datetime.php':
/-----
<delBackupName>: 'a; [injection]'
<backupRestoreFormSubmitted>: 'b'
- -----/
Using this information an external remote attacker can run arbitrary code using the 'gsbadmin' user (that is the user running the web-server), but the 'gsbadmin' user has sudo privileges. Looking at '/etc/sudoers', you can see that the attacker can also take down the firewall (injecting: 'a; sudo /subin/firewall stop' into 'delBackupName') and load arbitrary kernel modules (injecting 'a; sudo /subin/modprobe /tmp/a_module'), effectively taking complete control of the server.
In order to be able to successfully make the attack, the administrator must be logged in to the appliance with the browser that the attacker uses to make the attack (for instance, exploiting a XSS in a different tab in the browser).
Patch Availability:
The patch name is GSBWEB_61. When applied to versions 4.0 and 4.2 of the LANDesk Management Gateway it will bring them to 4.0-1.61 and 4.2-1.61 respectfully. For additional information contact LANDesk support forums at http://community.landesk.com/support/docs/DOC-8333/.
CVE Information:
CVE-2010-0368
CVE-2010-0369
Disclosure Timeline:
2010-01-04: LANDesk notified
2010-01-18: Vendor estimates that it is on track to have the fix ready for publication at the end of the month.
2010-02-04: The advisory is published.
|
|
|
|
|
