Date: 22 Nov 2004 15:59:15 +0200
From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Subject: [UNIX] Privilege Escalation Vulnerabilities in W-Channel Embedded Linux
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Privilege Escalation Vulnerabilities in W-Channel Embedded Linux
------------------------------------------------------------------------
SUMMARY
<http://www.tc-ide.com/eng/tcs-features.htm>; W-Channel produces an
embedded Linux system that can turn existing PCs into thin terminal
clients. By plugging the TC-IDE into the IDE socket of the PC, the PC will
be booted by the embedded kernel, with terminal protocols (RDC, VNC
X-Windows etc).
Local user input handling vulnerabilities exist in WCI's TC-IDE Embedded
Linux that allow local users with access to the tools provided with the
system to spawn a root console, gaining full control over the running
Linux operating system.
DETAILS
Vulnerable Systems:
* W-Channel Embedded Linux version 1.53 and prior
Immune Systems:
* W-Channel Embedded Linux version 1.54 or newer
Several exploitation methods are explained below:
1) In the Net Tools dialog, type ";crxvt&" (without the quotes), and click
on Discover. A root shell within a virtual terminal should appear.
2) In the PPPoE dialer GUI, type the same as above in the username field,
and click connect.
3) In Opera, click on Menu, then Preferences. In E-mail, mark the "Use
specific e-mail client" radio button, and type "/bin/dillo" (without the
quotes) in the textbox below. Apply the settings, and close this menu. In
the main window, click on Mail, then Compose. The dillo browser window
should now be launched.
4) Point it to the following address:
http://localhost/cgi-bin/mycomputer.cgi. Go to the Control Panel -> User
Desktop. Enable "My Computer", then restart your desktop.
You should now have Administrator access to most of the settings.
Vendor Status:
The security problems were fixed in v1.54, Customers should contact
W-Channel for information on how to obtain the latest firmware.
Disclosure Timeline:
* Vendor informed: 15/10/04
* Vendor reply: 17/10/04
* Vendor fix release: 8/11/04
ADDITIONAL INFORMATION
The information has been provided by <mailto:team@eclipse.org.il.> ECL
team.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
