thr3ads.net - Secure testing team - [Secure-testing-team] Bug#611680: dtc-xen - Remote authenticated root exploit [Jan 2011]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Bastian Blank

2011-Jan-31 22:17 UTC

[Secure-testing-team] Bug#611680: dtc-xen - Remote authenticated root exploit

Package: dtc-xen
Version: 0.5.13-3
Severity: grave
Tags: security

dtc-xen includes several command executions as root that uses unchecked
user input in dtc-soap-server.

| cmd = "/usr/sbin/dtc_kill_vps_disk %s %s" % (vpsname, imagetype)
| output = commands.getstatusoutput(cmd)

"imagetype" is the uncheck input and commands.getstatusoutput
effectively does "sh -c ''{ $cmd } 2>&1''".

Bastian

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (990, ''stable''), (500,
''testing'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Secure testing team - Jan 2011 - Bug#611680: dtc-xen - Remote authenticated root exploit

[Secure-testing-team] Bug#611680: dtc-xen - Remote authenticated root exploit