Friday, January 24, 2020

[ITERIS] - Vantage Velocity Field Unit - Privilege escalation - (CVE-2020-9024)

"Vantage Velocity Field Unit" devices for traffic analysis, have a weakness in the permission settings in the /root/cleardata.pl and /root/loadperl.sh scripts, which allows to any user without privileges to modify their content. These scripts are executed using CROND, every 30 min (/root/cleardata.pl) and when the device is restarted (/root/loadperl.sh), executing any code they contain, with root permissions


Connected as the "eclipse" user and validating that this user does not have sudo privileges, I proceed to list the files that the eclipse user can write.



We find don 2 files with 77permissions, which are most likely to be executed through a scheduled task, we validate this logged with the root users

Checking the crontab of the root user, it is seen that the script that we can modify, effectively runs every 30 min



With the eclipse user, the file is modified by injecting a command to create an entry in /etc/sudoers, which allows us to elevate privileges.




After 30 min, crond runs the modified script, and it writes the /etc/sudoers file, adding "full sudo" permissions to the eclipse user, which allows to execute any command like ROOT



Affected Versions:
  • 2.3.1
  • 2.4.2
CVE-2020-9024
By: @linuxmonr4




Monr4

Autor

0 comentarios:

Post a Comment

 
biz.