SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Cache Vendors:   InterSystems Corporation
InterSystems Cache Database File Permissions Let Local Users Modify Files to Gain Root Privileges
SecurityTracker Alert ID:  1007088
SecurityTracker URL:  http://securitytracker.com/id/1007088
CVE Reference:   CVE-2003-0497, CVE-2003-0498   (Links to External Site)
Updated:  Dec 2 2003
Original Entry Date:  Jul 1 2003
Impact:   Execution of arbitrary code via local system, Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.x
Description:   A vulnerability was reported in InterSystems Cache database. A local user can gain root privileges.

iDEFENSE reported that Cache installs critical files with world-writable file permissions by default. A local user can reportedly modify the /cachesys/bin/cache binary to include arbitrary code. Then, the local user can invoke /cachesys/bin/cuxs, a set user id (setuid) 'root' user binary, to cause the modified cache binary to be executed with root privileges.

It is also reported that a local user can execute a server side script from /cachesys/csp directory, as the contents of that directory can be executed with root privileges via the web interface. According to the vendor, Cache will execute Cache Server Pages (CSP) with the privileges of the user that started Cache, which may be root user privileges.

The following notification timeline is provided:

11 MAR 2003 First attack vector disclosed to iDEFENSE
18 APR 2003 Second attack vector disclosed to iDEFENSE
10 JUN 2003 Research Completed on Issues
10 JUN 2003 InterSystems Corporation notifed
11 JUN 2003 Response from David Shambroom of InterSystems
01 JUL 2003 Coordinated Public Disclosure

Impact:   A local user can gain root privileges on the system.
Solution:   The vendor plans to correct the flaw in Cache versions 4.1.16 and 5.0.3.

As a workaround, the vendor has indicated that you can login as "root", change to the directory where Cach is installed, and issue the following command:

chmod go-w bin

Also, if Cache is not being used for CSP programming and is not running in conjunction with a local Apache web server, you can issue the command:

chmod -R go-w csp

Vendor URL:  www.intersystems.com/support/flash/index.html (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] iDEFENSE Security Advisory 07.01.03: Cach Insecure Installation File and Directory Permissions



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 07.01.03:
http://www.idefense.com/advisory/07.01.03.txt
July 1, 2003

I. BACKGROUND

e-applications that is optimized for web applications. More information
about the application is available at
http://www.intersystems.com/cache/index.html .

II. DESCRIPTION

allowing local attackers to gain root access by manipulating items in
the main package tree. The vulnerability specifically exists because
files and directories are open to all users for read, write, and
execute operations. An example of such a directory is the ecache/bin
directory:

[farmer@vmlinux ecache]$ ls -ld bin
drwxrwxrwx 2 root root 4096 May 2 05:34 bin

The displayed permissions are that of a default install.

III. ANALYSIS

Two attack vectors exist by which any local attacker can gain root
privileges:

* Overwriting a globally writeable binary that is executed from a set
user id (setuid) root binary by the wrapper,  /cachesys/bin/cuxs.

* Executing a server side script from /cachesys/csp/user. The content
in that directory is executed as root through the web interface.

IV. DETECTION

well.

V. WORKAROUND

Administrators can prevent exploitation by making file permissions more
restrictive. This should prevent attackers from overwriting binaries or
placing scripts in /cachesys/csp/user.

VI. VENDOR FIX

InterSystems provided an alert to its customer base that is viewable at
http://www.intersystems.com/support/flash/index.html. In it, the
4.1.16 and 5.0.3.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification numbers to these issues:

CAN-2003-0498 code injection into /cachesys/csp

VIII. DISCLOSURE TIMELINE

11 MAR 2003      First attack vector disclosed to iDEFENSE
18 APR 2003      Second attack vector disclosed to iDEFENSE
10 JUN 2003      Research Completed on Issues
10 JUN 2003      InterSystems Corporation notifed
11 JUN 2003      Response from David Shambroom of InterSystems
01 JUL 2003      Coordinated Public Disclosure

IX. CREDIT

Larry W. Cashdollar (lwc@vapid.ath.cx) discovered this vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwFrA/rkky7kqW5PEQInAACg+4f308YwrhJ8honIK5tFyAz4Fe8An2mP
oo0XQnUmHaiPOM98pFIKow4n
=lKCb
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC