April 25, 2011

Trustwave WebDefend Privilege Escalation Vulnerability








1. Summary:

A privilege escalation vulnerability has been identified in Trustwave's WebDefend Enterprise product.  It is possible for the restricted operator account to gain access as root on the appliance.



2. Description:

The operator account 'bgoperator' is used to perform system maintenance functions.  This account accesses the appliance via ssh. It is important to note that the operator account has a default password that has been provided in the 'Getting Started' manual.

The operator account has a menu driven shell that does not allow the user to input system commands.

---------
Main Menu
---------
1 -- Online Menu
2 -- Offline Menu
3 -- System Menu
? -- Help

The shell path for this account is located at:
'/usr/local/opt/breach/bin/start_bgadmin_cli'

Which is a script calling another script using the following line: 
'sudo -u root /opt/breach/bwd/bin/bgadmin_cli'

You can see above, the second script is being executed as root!

When viewing log files the shell uses the 'more' command.  When using 'more', pressing 'v', will start the file in 'vi' text editor.  From 'vi' it is possible to read and write to any file on the system as root.  By modifying the operator account's login script we are able to gain access to a root shell.

Below is a POC video demonstrating the attack:



3. Impact:

Total system compromise to the appliance


4. Affected Products:

WebDefend Enterprise Manager Appliance version 5.0 and prior


5. Solution:  None


6. Time Table:

01/26/2011 Reported Vulnerability to the Vendor


7. Credits:  

Discovered by Nathan Power 
www.securitypentest.com