Title: Cache Database Poor File Permissions Lead To Local Root |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2003-03-11 |
CVE-ID:[CVE-2003-0498][CVE-2003-0497] |
CWE: |
Download Site: http://www.intersystems.com/our-products/cache/cache-overview/ |
Vendor: InterSystems Cache |
Vendor Notified: 2003-03-11 |
Vendor Contact: support@intersystems.com |
Advisory: http://www.vapid.dhs.org/advisories/cache_database_file_permissions.html |
Description: Cache', the post-relational database for e-applications, is optimized for the tougher demands of Web applications. It delivers breakthrough performance for massively scalable Web applications. Its rapid application development environment with advanced object technology lets you operate at Internet speed. Cache's ultra-fast SQL outperforms relational systems 20X. And its multidimensional application and data server delivers lightning-fast performance. |
Vulnerability: The default installation of the Cache database yeilds poorly protected files and directories in the main package tree. Directories and files are open to all users as read write and execute.
Local attackers can exploit this to manipulate directories and binaries inside the installation tree. This may be used by a local malicious user to gain root access. The content in /cachesys/csp/user is executed as root through the web interface. user's parent directory (csp) is world writeable allowing a local non root user to move user aside, copy its contents and create a new writeable user directory.
$ mv /cachesys/csp/user /cachesys/csp/user.old
$ cp -rp /cachesys/csp/user /cachesys/csp/user.old
$ cp cspexp.csp /cachesys/csp/user
$ lnyx http://localhost/csp/user/cspexp.csp
$ su - cache |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory