[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastille and Comcast CVE IDs

On 2017-10-02 11:27, Coffin, Chris wrote:

>> CVE-2017-9479
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-22.syseventd.txt
>> CVE-2017-9480
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-23.upnp-directory-write.txt
> Here, problem number 22 (CVE-2017-9479) is unauthenticated execution 
> of various commands as root. These commands can achieve a variety of 
> results. From a penetration-testing perspective, the interest is in 
> exfiltrating sensitive information for use in other attacks.
> Problem number 23 (CVE-2017-9480) is the existence of an undocumented 
> HTTP server that provides access to a /var/IGD/ directory tree 
> containing zero or more files, and is reachable without 
> authentication. From a penetration-testing perspective, the interest 
> is in immediately continuing the process of exfiltrating information.
> However, even if problem 22 were fixed, a configuration file could 
> still be present in the HTTP server's directory tree if problem 22 
> had been exploited at any time before the fix occurred. That is the 
> primary reason for a separate CVE. Also, it is possible that files 
> are sometimes written to the HTTP server's directory tree for 
> unrelated reasons, e.g., a Comcast technician copies files there 
> while resolving a customer problem.

"Undocumented" can be an aspect of a vulnerability.  I'm not going to 
push for reject or disputed, but:

But what would be different about a Linux system running Apache and an 
attacker (possibly using other vulnerabilities) putting files in the 
Apache root to then download them?

Unless there is some other legitimate process that puts configuration 
files in /var/IGD, I don't see #23 as anything different than "device 
runs a web server."

 - Art

Page Last Updated or Reviewed: October 02, 2017