Teradata Studio Express 15.12.00.00 Race Condition Vulnerability

2016-11-19T00:00:00
ID 1337DAY-ID-26384
Type zdt
Reporter Larry Cashdollar
Modified 2016-11-19T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            Title: /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-03
Download Site: http://downloads.teradata.com/download/tools/teradata-studio-express
Vendor: Teradata
Vendor Notified: 2016-10-03
Vendor Contact: web form contact
Description: Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP). 
Vulnerability:
The installation script for TeradataStudioExpress.15.12.00.00 creates files in /tmp insecurely.  A malicious local user could create a symlink in /tmp and possibly clobber system files or perhaps elevate privileges.

$ grep -n "/tmp" studioexpressinstall 

33:ASKDIRFILE=/tmp/sqlajeaskdir
41:DEF_TRACEFILE=/tmp/studioexinstall.log
44:TMP=/tmp
72:SQLAJEINPUTS=/tmp/studioexinputs
90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out
103:SQLAJEINSTALL=/tmp/studioexpressinstall
136:   java -version > "/tmp/javaver" 2>&1
137:   verstring=`grep "java version" /tmp/javaver`
143:      jre64b=`grep "64-Bit" /tmp/javaver`
212:rm -f /tmp/javaver 
341:   tmptracefile=/tmp/studioexinstall.log.tmp    #Temporary trace file.
588:touch /tmp/checkstudioexinstall
603:rm -f /tmp/checkstudioexinstall
604:rm -f /tmp/studioexinstall_rpmcmd.out

CVE-ID: CVE-2016-7490
Export: JSON TEXT XML
Exploit Code:
  aC/ $ ln -s /tmp/javaver /etc/passed
Advisory: http://www.vapidlabs.com/advisory.php?v=174

#  0day.today [2018-01-03]  #