GNS-3 “ubridge” local privilege escalation attack (0day)

Graphical Network Simulator 3 is a popular package for building and designing networks. We recently discovered that the Mac OS-X version bundles a setuid root binary file “ubridge” which is used to bridge network interfaces. This binary does not perform any permission dropping and retains root privileges throughout its operation, this allows for trivial attacks such as reading files from the command line with “-f”. Reading files as root is useful, however much more usefully the application allows an attacker to open and create files with “ubridge.ini” configuration options, specifying a location to write a pcap file. This pcap file will capture any and all traffic that the ubridge network connections are setup to allow, as such you can also send a packet that will allow for a semi-controllable write into any file as root! This level of control allows for a trivial local privilege escalation attack which can result in full root compromise of any OS-X platform and other systems which have “ubridge” installed setuid root. To exploit this vulnerability we write a malicious configuration file, load ubridge and then send a magic UDP packet which will be stored in root’s crontab to obtain local command execution. We tested this attack against version 1.5.2 of GNS-3 on the latest OS-X platform. The “ubridge” application is insecure by design as it has no privilege separation code and the setuid bit should be removed to prevent such attacks. The root user must have a crontab installed (even an empty one set by “crontab -e”) or the box rebooted after first attempt to get commands to execute with cron.

An example screenshot showing exploitation can be seen in the screenshot below.

You can download an exploit for this issue here. We attempted to contact GNS3 regarding this issue but emails to the security address were rejected. The vendor has since been notified of this vulnerability and made fixes available, you can address this weakness by following the guidance on the project documentation at [0]. It is also added as a known weakness at [1] and the project has added a security address for future submissions.
[0] Vendor mitigation advice
[1] Vendor acknowledgement

Comments are closed.