what you don't know can hurt you

primebase.txt

primebase.txt
Posted Oct 3, 2003
Authored by Larry W. Cashdollar | Site vapid.dhs.org

SNAP Innovation's PrimeBase Database 4.2 employs a poor use of file creation and default file permissions that could allow a local attacker to gain administrative privileges.

tags | advisory, local
MD5 | dc4d382d3b5eee1b3d74c69cd6de596e

primebase.txt

Change Mirror Download

SNAP Innovation's PrimeBase Database 4.2 poor default file permissions and
use of symlinks during install.
September 1, 2003

I. BACKGROUND

>From the readme.txt file

"The PrimeBase Database Server is a relational Database Management System
(DBMS) for Mac, UNIX and Windows platforms. The PrimeBase Database Server
supports all common database access standards (PBT, SQL, ODBC, JDBC, PHP,
Perl, RealBasic, EOF and DAL) and protocols (TCP/IP, Shared Memory and
Appletalk)."

II. DESCRIPTION

1. Poor use of temporary files during installation.

I noticed the PrimeBase install script creates the following files in
/tmp:

[nobody $] ln -s /etc/shadow /tmp/PrimeBase.log

Then if a malicious user has previous knowledge of the administrators
installation of PrimeBase the contents of /etc/shadow will be overwritten
with the contents of PrimeBase.log.


LOG="/tmp/PrimeBase.log"
echo "$str:[y/n]" | tee $LOG
echo "PrimeBase Installation: $now" >> $LOG

2. Poor default file permissions.
A malicious local user could manipulate the binaries for PrimeBase used by
the administrator and execute arbitrary code. The attacker would need to
wait until the Database was restarted or the system rebooted.

root@Fester local]# ls -ld /usr/local/primebase
drwxrwxrwx 6 root root 4096 Sep 1 13:57 primebase


III. ANALYSIS

Local attackers can exploit these vulnerabilities to clobber root owned
system files and modify software binaries. This could possibly lead to a
denial of service or system compromise.

IV. DETECTION

PrimeBase Data Server Build 4212.
http://www.primebase.com/en/index.html

V. WORKAROUND

1. temp file vulnerability.

Boot the system into single user mode only and ensure no other users are
logged in during installation.

2. Default file permissions.
Change directories to more restrictive ownerships (untested).

VI. VENDOR FIX

Not Notified.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has not assigned an identification number to this issue.

VIII. DISCLOSURE TIMELINE

9/16/2003 Issue disclosed to Vendor.

IX. CREDIT

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.




Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close