Title: Teradata Virtual Machine Community Edition v15.10 has insecure file permission |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-10-01 |
CVE-ID:[CVE-2016-7488] |
CWE: CWE-264 Permissions, Privileges, and Access Control |
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware |
Vendor: Teradata |
Vendor Notified: 2016-10-01 |
Vendor Contact: webform contact |
Advisory: http://www.vapidlabs.com/advisory.php?v=172 |
Description: A database appliance for virtual machine environments. |
Vulnerability: Teradata Virtual Machine Community Edition v15.10 has insecure file permissions on /etc/luminex/pkgmgr. These could allow a local user to modify its contents and execute commands as root.
TVME:/ # ls -ld /etc/luminex/
drwxrwxrwx 2 root root 4096 Mar 3 2016 /etc/luminex/
TVME:/# ls -l /etc/luminex/
total 128
-rwxrwxrwx 1 root root 24576 Mar 3 2016 packages.db
-rwxrwxrwx 1 root root 102357 Mar 3 2016 pkgmgr
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory