‘Veritas Storage Foundation Arbitrary File Read Vulnerability’

Published on October 23rd, 2008
Summary

‘Veritas Storage Foundation 5.0 from Symantec provides ‘a complete solution for heterogeneous online storage management. Based on the industry-leading Veritas Volume Manager and Veritas File System, it provides a standard set of integrated tools to centrally manage explosive data growth, maximize storage hardware investments, provide data protection and adapt to changing business requirements’. VxFS is an extent based, journaling filesystem. It implements a ‘Quick I/O for Databases’ feature; qioadmin which comes part of the Veritas Storage Foundation product is the setuid root administration utility for this functionality. When given an arbitrary filename, it will write the file’s contents to the standard error stream.’

Credit:

‘The information has been provided by Security Objectives Corporation.
The original article can be found at: http://www.security-objectives.com/advisories/SECOBJSADV-2008-05.txt


Details

Vulnerable Systems:
 * Veritas Storage Foundation 5.0

Immune Systems:
 * Veritas Software File System version 5.0 MP3

qioadmin will write arbitrary files (including /etc/shadow) to stderr. Each line will be prepended with a custom error message followed by file contents. Clearly, this can lead to privilege escalation by cracking the password ciphertext for the ‘superuser’ or root account.

Workaround:
Remove the set-uid bit from the qioadmin binary.
chmod u-s /opt/VRTS/bin/qioadmin

Vendor response:
Symantec included a fix for this problem in the recent maintenance release Veritas Software File System 5.0 MP3.

Disclosure timeline:
11-Aug-2008 Discovery of Vulnerability
18-Aug-2008 Developed Proof-of-Concept
21-Aug-2008 Reported to Vendor
20-Oct-2008 Maintenance Release
22-Oct-2008 Published Advisory
CVE Information:
CVE-2008-4638

Categories: UNIX
Tags:

Related Posts

UNIX

‘ProFTPD Response Pool Use-After-Free Code Execution Vulnerability’

'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server.'

UNIX

‘Insight Control for Linux Multiple Vulnerabilities’

'Remote unauthorized elevation of privilege, execution of arbitrary code, encryption downgrade, information disclosure and Denial of Service (DoS) vulnerabilities were identified in Insight Control for Linux.'

UNIX

‘HP-UX Running NFS/ONCplus Denial of Service Vulnerability’

'A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX.'