[NEWS] SNAP Innovation's PrimeBase Database Default File Permissions and Symlinks Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[TOOL] Venom, WMI Based Password Brute Forcer" 
    To: list@securiteam.com
Date: 9 Oct 2003 18:15:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SNAP Innovation's PrimeBase Database Default File Permissions and Symlinks
    Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.primebase.com/en/index.html> PrimeBase Database Server is
    "a relational Database Management System (DBMS) for Mac, UNIX and Windows
    platforms. The PrimeBase Database Server supports all common database
    access standards (PBT, SQL, ODBC, JDBC, PHP, Perl, RealBasic, EOF and DAL)
    and protocols (TCP/IP, Shared Memory and Appletalk)".

    Two security vulnerabilities have been found in the product allowing local
    users to overwrite local files.

    DETAILS

    Vulnerable systems:
     * SNAP Innovation's PrimeBase Database version 4.2 (PrimeBase Data Server
    Build 4212)

    Poor use of temporary files during installation
    Larry noticed the PrimeBase install script creates the following files in
    /tmp:
    [nobody $] ln -s /etc/shadow /tmp/PrimeBase.log

    Then if a malicious user has previous knowledge of the administrator's
    installation of PrimeBase the contents of /etc/shadow will be overwritten
    with the contents of PrimeBase.log.

    LOG="/tmp/PrimeBase.log"
            echo "$str:[y/n]" | tee $LOG
    echo "PrimeBase Installation: $now" >> $LOG

    Poor default file permissions
    A malicious local user could manipulate the binaries for PrimeBase used by
    the administrator and execute arbitrary code. The attacker would need to
    wait until the Database was restarted or the system rebooted.
    root@Fester local]# ls -ld /usr/local/primebase
    drwxrwxrwx 6 root root 4096 Sep 1 13:57 primebase

    These types of vulnerabilities seem to be common with the database crowd.

    Impact:
    Local attackers can exploit these vulnerabilities to clobber root owned
    system files and modify software binaries. This could possibly lead to a
    denial of service or system compromise.

    Workaround:
    Temporary file vulnerability
    Boot the system into single user mode only and ensure no other users are
    logged in during installation.

    Default file permissions
    Change directories to more restrictive ownerships (untested).

    Disclosure timeline:
    9/16/2003 Issue disclosed to Vendor.
    9/26/2003 Response from Vendor, next version will be fixed.

    ADDITIONAL INFORMATION

    The information has been provided by Larry W. Cashdollar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Venom, WMI Based Password Brute Forcer"

    Relevant Pages