1 Enomaly ECP/Enomalism: Multiple vulnerabilities in enomalism2.sh (redux)
2
3 Synopsis
4
5 All versions of Enomaly ECP/Enomalism[1] before 2.2.1 have multiple issues
6 relating to the use of temporary files in an insecure manner.
7
8 Fixes for CVE−2008−4990[2] and CVE−2009−0390[3] in 2.1.1 and 2.2 were found
9 to be ineffective.
10
11 Background
12
13 Enomaly ECP (formerly Enomalism) is management software for virtual machines.
14
15 Description
16
17 Sam Johnston[4] of Australian Online Solutions[5] reported multiple
18 vulnerabilities in enomalism2.sh:
19 − Race condition on $PIDFILE renders 2.1.1 fixes ineffective
20 − Incomplete fixes in 2.1.1/2.2 fail to address stop/restart functions
21 − Root ownership check (ls −l $PIDFILE |grep root) is trivially bypassed by:
22 − changing the symlink’s group to one containing the word ’root’ or
23 − creating a symlink to any filename containing the word ’root’
24 − Process check (ps −p $PID |grep enomalism2d) is also trivially bypassed.
25
26 Impact
27
28 A local attacker could perform a symlink attack to overwrite arbitrary files
29 on the system with root privileges, inject arguments to the ’kill’ command
30 to terminate or send arbitrary signals to any process(es) as root or launch
31 a denial of service attack by preventing the virtual machines from starting.
32
33 Exploits
34
35 a. while true; do ln −s /etc/passwd /tmp/enomalism2.pid; done
36 b. echo "−9 1" > /tmp/enomalism2.pid
37 c. i. ln −s /tmp/root /tmp/enomalism2.pid
38 ii. chgrp beetroot /tmp/enomalism2.pid
39
40 Workaround
41
42 Change PIDFILE from /tmp/enomalism2.pid to /var/run/enomalism2.pid
43
44 Resolution
45
46 All Enomaly ECP and Enomalism users should upgrade to version 2.2.1[6] which
47 includes researcher fix.
48
49 History
50
51 2009−02−09 Bug initially reported to Enomaly by mail
52 2009−02−09 CVE(s) requested from Mitre; TBA
Page 1/2
Enomaly ECP Enomalism 2.2.1 Multiple Local Vulnerabilities
Sam Johnston
02/16/2009
53 2009−02−09 Product Development Manager acknowledged receipt.
54