Technical details sent to LANDesk by Core.
. 2010-01-05:
LANDesk notifies Core that they have reproduced and confirmed the
vulnerability. The vendor also notifies that they have created a
Change Request in house for this, and that they are currently scoping
this issue for setting a time for a patch release.
. 2010-01-18:
Core asks LANDesk team for a status update and reminds the vendor that
publication of the advisory is scheduled for January 25th.
To reproduce, request a password change for a user provisioned on some
Solaris server. The password has to consist of a UNIX shell command to
be executed repeated twice and separated by the new line character. One
way of doing it is to use an intercepting web proxy (such as Webscarab)
to modify HTTP message carrying the password change request. For
example, to inject 'id > /x' command, the modified request will look as
following:
POST /idm/user/changePassword.jsp?lang=en&cntry=US HTTP/1.1
id=***&command=Save&activeControl=&resourceAccounts.selectAll=true&
