[Full-disclosure] nSense-2010-003: Cisco Unified Communications Manager



nSense Vulnerability Research Security Advisory NSENSE-2010-003
---------------------------------------------------------------

Affected Vendor: Cisco Systems, Inc
Affected Product: Cisco Unified Communications Manager
Platform: All
Impact: Privilege Escalation
Vendor response: Patch. IntelliShield ID 21656
CVE: CVE-2010-3039
Credit: Knud / nSense

Technical details
---------------------------------------------------------------

Cisco Unified Communications Manager contains a setuid binary
which fails to validate command line arguments. A local user
can leverage this vulnerability to gain root access by
supplying suitable arguments to the binary.

The application also contains unsafe function calls, such as
sprintf().

Proof of concept:
/usr/local/cm/bin/pktCap_protectData -i";id"

Timeline:
Aug 21st Contacted vendor PSIRT
Aug 23rd Vendor response. Vulnerability acknowledged
Aug 23rd More information sent to vendor
Sep 2nd Status update request sent to vendor
Sep 2nd Vendor response
Sep 3rd Vendor response. More information provided.
Sep 22nd Status update request sent to vendor
Sep 22nd Vendor response
Sep 23rd Vendor response. New release date suggested
Sep 23rd Agreed to the October 20th release date
Sep 23rd Vendor response
Oct 6th Requested schedule information from vendor
Oct 6th Vendor response. New release date suggested
Oct 6th Sent counterproposal to vendor
Oct 6th Vendor response. Requested Wednesday release
Oct 7th Agreed to the new release date
Oct 7th Vendor response
Nov 3rd Vendor confirms release and sends link
Nov 5th Advisory published

A thank you to Matthew Cerha / Cisco PSIRT for the coordination
effort.

"Remember, remember the Fifth of November"

Links:
http://tools.cisco.com/security/center/viewAlert.x?alertId=21656

http://www.nsense.fi http://www.nsense.dk



$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P

D r i v e n b y t h e c h a l l e n g e _

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages