Product
Quest Privilege Manager
Overview
Two input validation vulnerabilities were identified in the pmmasterd daemon, included with Quest Privilege Manager that allow a remote attacker to compromise the system, gaining remote code execution on the system, with the privilege of the daemon (by default running as root)
Details follow below
Privilege Manager pmmasterd Arbitrary File Write (CVE-2017-6554)
Version affected
Quest Privilege Manager <= 6.0.0-50
Description
By sending a specially crafted request (action code ACT_NEWFILESENT ) to the pmserviced/pmmasterd daemon listening on port 12345, it’s possible to write anywhere on the filesystem, with root permission. This can be abused by a remote attacker to gain full control of the system.
The server is only vulnerable when configured as a policy server (although it’s irrelevant if it is a policy server for Privilege Manager for Unix or Sudo Plugin)
CVE ID
CVE-2017-6554
Exploit
https://www.exploit-db.com/exploits/41861/
Privilege Manager pmmasterd Buffer Overflow (CVE-2017-6553)
Version affected
Quest Privilege Manager <= 6.0.0-50
Description
By sending a specially crafted request (action code ACT_ALERT_EVENT ) to the pmserviced/pmmasterd daemon on port 12345 to a Privilege Manager Server system (again, policy server or sudo plugin manager is irrelevant), it’s possible to corrupt the pmmasterd process memory. This can exploited to perform DoS, leak process memory or execute arbitrary code in the context of the process.
This appears to be related to an unsafe memcpy call in the function pmm_handle_incoming_ping() where the size argument is taken from untrusted user input.
This can be abused by a remote attacker to gain full control of the system.
CVE ID
CVE-2017-6553
Exploit
The developed exploit works against pmmasterd 6.0.0-27, (on x86 and x86_64 architectures). Although versions up to 6.0.0-50 were also found to be vulnerable, more recent versions also include a stack cookie check on a number of functions, including the vulnerable one.
Although this could be solved by combining the attack with a memory leak, this would have to happen during the same connection, as the pmmasterd daemon is spawned from pmserviced on every connection request, and then terminated.
https://www.rapid7.com/db/modules/exploit/linux/misc/quest_pmmasterd_bof
Recommendation
Deploy the latest vendor updates. Both issues have been fixed in version 6.0.0-61.
Disclosure Timeline
10 Mar 2017 – Contacted Vendor
20 Mar 2017 – Initial feedback from Vendor, requesting PoC
20 Mar 2017 – PoC sent to the vendor
3 Apr 2017 – Vendor delivers official fixes
7 Apr 2017 – Public Disclosure
0xDEADFACE 