‘Landesk OS Command Injection Vulnerability’

Summary

A security vulnerability was discovered in LANDesk Management Suite.’

Credit:

‘The information has been provided by Aureliano Calvo.
The original article can be found at: http://www.coresecurity.com/content/landesk-os-command-injection-vulnerability


Details

Vulnerable Systems:
 * LANDesk Management Gateway 4.0 GSBWEB v1.61s
 * LANDesk Management Gateway 4.2 GSBWEB v1.61

Immune Systems:
 * LANDesk Management Gateway 4.0 GSBWEB v1.62
 * LANDesk Management Gateway 4.2 GSBWEB v1.62

The Landesk web application does not sufficiently verify if a well-formed request was provided by the user who submitted the request. Using this information an external remote attacker can run arbitrary code using the gsbadmin user (that is the user running the web-server).

In order to be able to successfully make the attack, the administrator must be logged in to the appliance with the browser that the attacker uses to make the attack (for instance, exploiting a XSS in a different tab in the browser).

Using this information an external remote attacker can run arbitrary code using the gsbadmin user (that is the user running the web-server), but the gsbadmin user has sudo privileges. Looking at /etc/sudoers, you can see that the attacker can also take down the firewall (injecting: ; sudo /subin/firewall stop into DRIVES) and load arbitrary kernel modules (injecting ; sudo /subin/modprobe /tmp/a_module), effectively taking complete control of the server.

Workaround:
Workaround for non-patched versions:
Launch a SSH console session, or log onto the LDMG console and start a terminal session.
Issue the following command: mv /usr/LANDesk/broker/webroot/gsb/drivers.php ~

CVE Information:
CVE-2010-2892

Disclosure Timeline:
2010-10-18: LANDesk team is notified of the vulnerability
2010-10-22: The LANDesk team notifies they have verified the vulnerability and have identified the cause.
2010-11-10: The advisory CORE-2010-1018 is published.’

Categories: UNIX