BID:23182

Data Domain Administration Interface Local Privilege Escalation Vulnerability

Info

Data Domain Administration Interface Local Privilege Escalation Vulnerability

Bugtraq ID:	23182
Class:	Input Validation Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 28 2007 12:00AM
Updated:	Mar 29 2007 12:23AM
Credit:	Elliot Kendall is credited with the discovery of this vulnerability.
Vulnerable:	Data Domain Data Domain OS 3.0 Data Domain Data Domain OS 4.0.3.5

Not Vulnerable:	Data Domain Data Domain OS 4.0.3.6

Discussion

Data Domain Administration Interface Local Privilege Escalation Vulnerability

Data Domain is prone to a local privilege-escalation vulnerability because the application fails to sanitize user-supplied input before passing it to a UNIX shell for execution.

An attacker can exploit this issue to install malicious software and execute arbitrary commands with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.

This issue affects Data Domain 3.0.0 through 4.0.3.5.

Exploit / POC

Data Domain Administration Interface Local Privilege Escalation Vulnerability

An attacker can exploit this issue through the Data Domain administrative interface.

Solution / Fix

Data Domain Administration Interface Local Privilege Escalation Vulnerability

Solution:
The vendor released an update to address this issue. Please contact the vendor for information on how obtain and apply this update.

References

Data Domain Administration Interface Local Privilege Escalation Vulnerability

References:

Data Domain Homepage (Data Domain)
Arbitrary Command Execution in DataDomain Administrator Interface ([email protected])