[FD] /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall

Fri, 18 Nov 2016 03:08:02 -0800 

Title: /tmp race condition in Teradata Studio Express v15.12.00.00 
studioexpressinstall
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-03
Download Site: 
http://downloads.teradata.com/download/tools/teradata-studio-express
Vendor: Teradata
Vendor Notified: 2016-10-03
Vendor Contact: web form contact
Description: Teradata Studio Express provides an information discovery tool 
that retrieves data from Teradata Database systems and allows the data to be 
manipulated and stored on the desktop. It is built on the Eclipse Rich Client 
Platform (RCP). 
Vulnerability:
The installation script for TeradataStudioExpress.15.12.00.00 creates files in 
/tmp insecurely.  A malicious local user could create a symlink in /tmp and 
possibly clobber system files or perhaps elevate privileges.

$ grep -n "/tmp" studioexpressinstall 

33:ASKDIRFILE=/tmp/sqlajeaskdir
41:DEF_TRACEFILE=/tmp/studioexinstall.log
44:TMP=/tmp
72:SQLAJEINPUTS=/tmp/studioexinputs
90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out
103:SQLAJEINSTALL=/tmp/studioexpressinstall
136:   java -version > "/tmp/javaver" 2>&1
137:   verstring=`grep "java version" /tmp/javaver`
143:      jre64b=`grep "64-Bit" /tmp/javaver`
212:rm -f /tmp/javaver 
341:   tmptracefile=/tmp/studioexinstall.log.tmp    #Temporary trace file.
588:touch /tmp/checkstudioexinstall
603:rm -f /tmp/checkstudioexinstall
604:rm -f /tmp/studioexinstall_rpmcmd.out

CVE-ID: CVE-2016-7490
Export: JSON TEXT XML
Exploit Code:
        • $ ln -s /tmp/javaver /etc/passed
Advisory: http://www.vapidlabs.com/advisory.php?v=174

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to