SECOBJADV-2008-05: Symantec Veritas Storage Foundation Arbitrary File Read Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SECOBJADV-2008-05: Symantec Veritas Storage Foundation Arbitrary File Read Vulnerability
From: Security Objectives Corporation <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Oct 2008 09:41:37 -0700 (PDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

======================================================================
=         Security Objectives Advisory (SECOBJADV-2008-05)           =
======================================================================

Veritas Storage Foundation Arbitrary File Read Vulnerability

http://www.security-objectives.com/advisories/SECOBJSADV-2008-05.txt

AFFECTED: Veritas Storage Foundation 5.0

PLATFORM: Solaris, Linux, AIX, HP-UX

CLASSIFICATION: Improper Ownership Management (CWE-282)

RESEARCHER: Derek Callaway

IMPACT: Arbitrary File Read

SEVERITY: Medium

DIFFICULTY: Trivial

REFERENCES: CVE-2008-4638, SYM08-018, BID 31679


BACKGROUND

Veritas Storage Foundation 5.0 from Symantec provides a completesolution for heterogeneous online storage management. Based on theindustry-leading Veritas Volume Manager and Veritas File System, itprovides a standard set of integrated tools to centrally manageexplosive data growth, maximize storage hardware investments, providedata protection and adapt to changing business requirements.


SUMMARY

VxFS is an extent based, journaling filesystem. It implements a
"Quick I/O for Databases" feature; qioadmin is the setuid root
administration utility for this functionality. When given an arbitrary
filename, it will write the file's contents to the standard error stream.

ANALYSIS

qioadmin will write arbitrary files (including /etc/shadow) to stderr.Each line will be prepended with a custom error message followed by filecontents. Clearly, this can lead to privilege escalation by cracking thepassword ciphertext for the "superuser" or root account.


WORKAROUND

Remove the set-uid bit from the qioadmin binary.

chmod u-s /opt/VRTS/bin/qioadmin

VENDOR RESPONSE

Symantec included a fix for this problem in the recent maintenancerelease Veritas Software File System 5.0 MP3.


DISCLOSURE TIMELINE

11-Aug-2008 Discovery of Vulnerability
18-Aug-2008 Developed Proof-of-Concept
21-Aug-2008 Reported to Vendor
20-Oct-2008 Maintenance Release
22-Oct-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software developmentcorporation which operates in the area of application assurance software.Security Objectives employs methods that are centered on softwarecomprehension, therefore a more in-depth contextual understanding of theapplication is developed.


http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based oncurrently available information and is provided "as is" without warranty ofany kind, either expressed or implied, including, but not limited to, theimplied warranties of merchantability and fitness for a particular purpose.The entire risk as to the quality and performance of the information is withyou.

Prev by Date: SNMP Injection: Achieving Persistent HTML Injection via SNMP on Embedded Devices
Next by Date: Re: FGA-2008-23:EMC NetWorker Denial of Service Vulnerability
Previous by thread: SNMP Injection: Achieving Persistent HTML Injection via SNMP on Embedded Devices
Next by thread: [SECURITY] [DSA 1658-1] New dbus packages fix denial of service
Index(es):
- Date
- Thread