During a recent pentest engagement I came across an agent installed on an UNIX (AIX) host from the nice folks at TIDAL.
The agent leverages SUID and root privileges to run scheduled jobs.
Checking exploitdb came up with nothing. However, a poke around MITRE pointed me to CVE-2014-3272.
The Agent in Cisco Tidal Enterprise Scheduler (TES) 6.1 and earlier allows local users to gain privileges via crafted Tidal Job Buffers (TJB) parameters, aka Bug ID CSCuo33074.MITRE website
After some digging around, what the above should read as: Tidal agents below 126.96.36.199 suffer from a privilege escalation bug via crafted Tidal Job Buffers (TJB) parameters. That is, although the centralised ‘Tidal Master’ is labelled version 6.1.x the agents that do the work of running the jobs and have the bug are labelled version 3.x.
What I knew:
- The agent version installed on my AIX machine was 188.8.131.52
- No public exploits, given it was discovered and fixed by the vendor itself (Cisco owned the product, and Cisco released the fix).
- Only agent versions below 184.108.40.206 were affected
All was lost? Not exactly. Using some techniques from my SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking training (thanks heaps Jake Williams and Stephen Sims) I was able to figure out the problem quite quickly.
What I realised was that the issue was not fixed by Cisco for AIX. I could easily escalate my privileges to root.
Being the responsible guy I am:
- I contacted Cisco and the new vendor – took a while to figure out who owned the problem
- Explained the 0-day on 23/01/2019
- Got a fix version 220.127.116.11 on 22/04/2019
My first 0-day and coordinated disclosure. What a joy.