[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] ADP Elite System Max 9000 Series Login Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] ADP Elite System Max 9000 Series Login Vulnerability
From: rootfiend@xxxxxxxxxxxxx
Date: Sat, 19 Feb 2005 13:02:02 -0500

Adp Elite system is an invoice/purchase order suite very common in car 
dealerships.  It's a telnet based system.  When a user logs in via telnet, adp 
dumps the user into the program where the user can check on a vehicle's status, 
generate PO's and RO's, etc....  The program is rather large and runs on a 
linux based system.  Usually ftp is running as well.  A user with a valid login 
name/pass...  eh...cough...ettercap...cough is able to upload/download things 
into/from their directory... usually something like /adp/home/<user>....  by 
default there is a .profile containing this little gem... 

# ADPROOT is equivalent to REALROOT on CoRA systems
ADPROOT=${ADPROOT:="/adp"}
export ADPROOT

download it... modify it to 

# ADPROOT is equivalent to REALROOT on CoRA systems
ADPROOT=${ADPROOT:="/"}
export ADPROOT

then upload it...

now login via telnet... and bingo now you have a $hell

fix: chown root:root .profile

credit: rootfiend
questions/comments: rootfiend@xxxxxxxxxxxxx



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Multiples vulnerability in ZeroBoard,
Next by Date: Re: [Full-Disclosure] How T-Mobil's network was compromised
Previous by thread: [Full-Disclosure] Multiples vulnerability in ZeroBoard,
Next by thread: Re: [Full-Disclosure] this is fun?
Index(es):
- Date
- Thread