Title: /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-03 Download Site: http://downloads.teradata.com/download/tools/teradata-studio-express Vendor: Teradata Vendor Notified: 2016-10-03 Vendor Contact: web form contact Description: Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP). Vulnerability: The installation script for TeradataStudioExpress.15.12.00.00 creates files in /tmp insecurely. A malicious local user could create a symlink in /tmp and possibly clobber system files or perhaps elevate privileges. $ grep -n "/tmp" studioexpressinstall 33:ASKDIRFILE=/tmp/sqlajeaskdir 41:DEF_TRACEFILE=/tmp/studioexinstall.log 44:TMP=/tmp 72:SQLAJEINPUTS=/tmp/studioexinputs 90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out 103:SQLAJEINSTALL=/tmp/studioexpressinstall 136: java -version > "/tmp/javaver" 2>&1 137: verstring=`grep "java version" /tmp/javaver` 143: jre64b=`grep "64-Bit" /tmp/javaver` 212:rm -f /tmp/javaver 341: tmptracefile=/tmp/studioexinstall.log.tmp #Temporary trace file. 588:touch /tmp/checkstudioexinstall 603:rm -f /tmp/checkstudioexinstall 604:rm -f /tmp/studioexinstall_rpmcmd.out CVE-ID: CVE-2016-7490 Export: JSON TEXT XML Exploit Code: aC/ $ ln -s /tmp/javaver /etc/passed Advisory: http://www.vapidlabs.com/advisory.php?v=174