NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2010-11

nSense-2010-003: Cisco Unified Communications Manager

From: Henri Lindberg (henri+listsnsense.fi)
Date: Fri Nov 05 2010 - 10:01:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

nSense Vulnerability Research Security Advisory NSENSE-2010-003
---------------------------------------------------------------

       Affected Vendor: Cisco Systems, Inc
       Affected Product: Cisco Unified Communications Manager
       Platform: All
       Impact: Privilege Escalation
       Vendor response: Patch. IntelliShield ID 21656
       CVE: CVE-2010-3039
       Credit: Knud / nSense

Technical details
---------------------------------------------------------------

       Cisco Unified Communications Manager contains a setuid binary
       which fails to validate command line arguments. A local user
       can leverage this vulnerability to gain root access by
       supplying suitable arguments to the binary.

The application also contains unsafe function calls, such as
sprintf().

Proof of concept:
/usr/local/cm/bin/pktCap_protectData -i";id"

       Timeline:
       Aug 21st Contacted vendor PSIRT
       Aug 23rd Vendor response. Vulnerability acknowledged
       Aug 23rd More information sent to vendor
       Sep 2nd Status update request sent to vendor
       Sep 2nd Vendor response
       Sep 3rd Vendor response. More information provided.
       Sep 22nd Status update request sent to vendor
       Sep 22nd Vendor response
       Sep 23rd Vendor response. New release date suggested
       Sep 23rd Agreed to the October 20th release date
       Sep 23rd Vendor response
       Oct 6th Requested schedule information from vendor
       Oct 6th Vendor response. New release date suggested
       Oct 6th Sent counterproposal to vendor
       Oct 6th Vendor response. Requested Wednesday release
       Oct 7th Agreed to the new release date
       Oct 7th Vendor response
       Nov 3rd Vendor confirms release and sends link
       Nov 5th Advisory published

A thank you to Matthew Cerha / Cisco PSIRT for the coordination
effort.

"Remember, remember the Fifth of November"

Links:
http://tools.cisco.com/security/center/viewAlert.x?alertId=21656

http://www.nsense.fi http://www.nsense.dk

       $$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
       $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
       $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
       $$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
       $$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P

D r i v e n b y t h e c h a l l e n g e _

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]