--47eKBCiAZYFK5l32 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable SUMMARY =3D=3D=3D=3D=3D=3D=3D An arbitrary command execution vulnerability exists in the command line administration interface of the software used by DataDomain appliances. An attacker who is able to access the administration interface could exploit this vulnerability to install malicious software and use the DataDomain appliance as a base from which to launch attacks on other systems. AFFECTED SOFTWARE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Data Domain OS 3.0.0 through 4.0.3.5 * Possibly Data Domain OS 2.x and earlier UNAFFECTED =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Data Domain OS 4.0.3.6 and later IMPACT =3D=3D=3D=3D=3D=3D An attacker who is able to access the administration interface could install malicious software and use the DataDomain appliance as a base =66rom which to launch attacks on other systems. Because its owners may not view the DataDomain applicance as a general-purpose device, they may not suspect that it might be compromised. In that way the attacker might evade detection, even if other compromised systems are discovered and quarantined. DETAILS =3D=3D=3D=3D=3D=3D=3D Several of the commands presents in the DataDomain administrative are very simple wrappers around UNIX commands, including ping, ifconfig, date, netstat, uptime, etc. In several cases, the arguments to these commands are not sufficiently validated before they are passed to the UNIX shell for execution. By using specially crafted arguments, and attacker could inject shell special characters into the shell command line, leading to execution of arbitrary programs. SOLUTION =3D=3D=3D=3D=3D=3D=3D=3D Upgrade to DataDomain OS 4.0.3.6 or later EXPLOIT =3D=3D=3D=3D=3D=3D=3D These command lines will launch an interactive UNIX shell: ifconfig eth0:\;sh ping sh interface eth0:\; ACKNOWLEDGMENTS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Thanks to DataDomain for fixing this issue quickly and their cooperation in the development of this advisory. REVISION HISTORY =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2007-03-28 original release --=20 Elliot Kendall <ekendall@brandeis.edu> Network Security Architect Brandeis University Trouble replying? See http://people.brandeis.edu/~ekendall/sign/ --47eKBCiAZYFK5l32 Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BiswggLkMIICTaADAgECAhBggvMqYGnmWTL8QHFRd45JMA0GCSqGSIb3DQEBBQUAMGIxCzAJ BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjExMjIxOTA3 MzJaFw0wNzExMjIxOTA3MzJaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAO9eDtuy41oKi2lWSjfmLhH9Essvghz1h96Hqdh+AYkEz1wEJWG5 ovCDBzrekBdRkXB8vN1p8CV4jfyI2u2Ahrbiv33h45ComeVKMc1lUmMTdICfe5SHzj0+0fK2 G2dUHS6t5CEG2Dy1pZBN3+4dyun3VkkYGJB6IYuvGVxwH8YUw8Dc/SmWBOtLTPjDZ8kZVQyC o+rzDVGFNJVYmjOy9+n0EEgVgNTmgAQGSlWFpR7jnBgjB0ppicKQse9sj/OW33cCHYmcxO85 pYySx+glldHfUiHD2YqNiMOjiBF0n/Q9kLQh/IyzVbRue5efYvwCGSsjb3LBVAHg6JPg+Rcq zpECAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB /wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAmZlx5KZcqutjgUk1vgyPtnx/ptHdLo8iHiyVGrSj 5Hc/zl4+QOLHBQU/0NCAkzPQFSl/LUQYsMefBo9enPIY79OUFO9gThclvpr3WmghB+agvVxf Skm4VoxKsWtrBX46FDafeRuCGdRxvR1IhT0sc7Un7Rc1J5OitkVwxegEsj8wggM/MIICqKAD AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD 6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC 3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIElzc3VpbmcgQ0ECEGCC8ypgaeZZMvxAcVF3jkkwCQYFKw4DAhoFAKCBsTAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzAzMjgxOTM4MzFa MCMGCSqGSIb3DQEJBDEWBBRpSjISoYSlzPpF/OZLn0pdhinayTBSBgkqhkiG9w0BCQ8xRTBD MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQDTvFMoxm+M6lYwguVMYEnfzrVYrdIO jsgB4ZXGtDNFG37Dz9JtRCsxfitwG7+zhW/vn/mrkGI2NZJrnH/lx6rnDWABzzw+UQARtdSh Cugs1KxmSX+ESonhidLalnUj0Qr/lBJ8LGcpLSdEgeQ580bBvnNAnLSJnZKHaQJmTAVQh4G0 XF6qAMiRZ4lhZo9tq58RO7m/MIMbyq7hYr/kXo5lUrJt4QvibDZ2Ll2P2qlVxmlfqlOMSUFv Dqf5k1v16X0+LyObLGfj82NlCg3uLmWP6y2GN2+erse+LNtzS9RQwaJy/4ESDsUnmj7AMYt9 +Kd+QF0f6yzFOQJUie8qYiUG --47eKBCiAZYFK5l32--