[UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux

From: SecuriTeam (support_at_securiteam.com)
Date: 11/22/04

  • Next message: SecuriTeam: "[NT] Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' Function" 
    To: list@securiteam.com
Date: 22 Nov 2004 15:59:15 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Privilege Escalation Vulnerabilities in W-Channel Embedded Linux
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.tc-ide.com/eng/tcs-features.htm> W-Channel produces an
    embedded Linux system that can turn existing PCs into thin terminal
    clients. By plugging the TC-IDE into the IDE socket of the PC, the PC will
    be booted by the embedded kernel, with terminal protocols (RDC, VNC
    X-Windows etc).

    Local user input handling vulnerabilities exist in WCI's TC-IDE Embedded
    Linux that allow local users with access to the tools provided with the
    system to spawn a root console, gaining full control over the running
    Linux operating system.

    DETAILS

    Vulnerable Systems:
     * W-Channel Embedded Linux version 1.53 and prior

    Immune Systems:
     * W-Channel Embedded Linux version 1.54 or newer

    Several exploitation methods are explained below:

    1) In the Net Tools dialog, type ";crxvt&" (without the quotes), and click
    on Discover. A root shell within a virtual terminal should appear.

    2) In the PPPoE dialer GUI, type the same as above in the username field,
    and click connect.

    3) In Opera, click on Menu, then Preferences. In E-mail, mark the "Use
    specific e-mail client" radio button, and type "/bin/dillo" (without the
    quotes) in the textbox below. Apply the settings, and close this menu. In
    the main window, click on Mail, then Compose. The dillo browser window
    should now be launched.

    4) Point it to the following address:
    http://localhost/cgi-bin/mycomputer.cgi. Go to the Control Panel -> User
    Desktop. Enable "My Computer", then restart your desktop.

    You should now have Administrator access to most of the settings.

    Vendor Status:
    The security problems were fixed in v1.54, Customers should contact
    W-Channel for information on how to obtain the latest firmware.

    Disclosure Timeline:
     * Vendor informed: 15/10/04
     * Vendor reply: 17/10/04
     * Vendor fix release: 8/11/04

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:team@eclipse.org.il> ECL
    team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Circumvent Windows XP SP2 Security Features using execCommand 'SaveAs' Function"

    Relevant Pages