what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Enomaly ECP/Enomalism Code Execution

Enomaly ECP/Enomalism Code Execution
Posted Feb 13, 2009
Authored by Sam Johnston

All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism that could allow a remote attacker to execute arbitrary code as root.

tags | advisory, remote, arbitrary, root
SHA-256 | 9f314c7d809a33fd1f2f922ca6d89e8825901419404addfcf7d0d5e4c2e48bca

Enomaly ECP/Enomalism Code Execution

Change Mirror Download
Enomaly ECP/Enomalism: Silent update remote command execution vulnerability

Synopsis

All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism
that could allow a remote attacker to execute arbitrary code as root.

Background

Enomaly ECP (formerly Enomalism) is management software for virtual machines.

Description

Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the main Enomaly ECP daemon (enomalism2d)
includes an undocumented silent update mechanism that insecurely downloads and
executes code from Enomaly's corporate web server.

Enomaly ECP silently attempts to receive and forcibly install unsigned python
modules over HTTP from http://enomaly.com/fileadmin/eggs/ (currently exception
drivemounter, and phone_home) when encountering any error loading any module.
This allows for remote, privileged exploitation without any user intervention.

Impact

Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it is possible to execute arbitrary
commands as the root user on any server requesting an update. An attacker may
also be able to trigger the update mechanism by inducing any condition where
modules fail to load, e.g. exhausting memory by making many web requests.

Workaround

Resolve enomaly.com to 127.0.0.1 in affected servers' hosts files.

Resolution

There is no resolution at this time as the feature cannot be disabled. Vendor
claims that the vulnerability is by design and has no plans to release a fix.

History

2009-02-09 Bug initially reported to Enomaly by mail
2009-02-09 CVE requested from Mitre; TBA
2009-02-10 Product Development Manager acknowledged receipt:
"This is by design, it's a method to allow modules to be downloaded and
installed as needed. It's a recovery mechanism for borked installs (which
happen quite frequently with easy_install). None of this stuff is exploitable
or malicious under any normal circumstances."
2009-02-12 Publication of vulnerability
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close