-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 07.01.03: http://www.idefense.com/advisory/07.01.03.txt Caché Insecure Installation File and Directory Permissions July 1, 2003 I. BACKGROUND InterSystems Corp.’s Caché is a post-relational database for e-applications that is optimized for web applications. More information about the application is available at http://www.intersystems.com/cache/index.html . II. DESCRIPTION Caché installs with insecure file and directory permissions, thereby allowing local attackers to gain root access by manipulating items in the main package tree. The vulnerability specifically exists because files and directories are open to all users for read, write, and execute operations. An example of such a directory is the ecache/bin directory: [farmer@vmlinux ecache]$ ls -ld bin drwxrwxrwx 2 root root 4096 May 2 05:34 bin The displayed permissions are that of a default install. III. ANALYSIS Two attack vectors exist by which any local attacker can gain root privileges: * Overwriting a globally writeable binary that is executed from a set user id (setuid) root binary by the wrapper, /cachesys/bin/cuxs. * Executing a server side script from /cachesys/csp/user. The content in that directory is executed as root through the web interface. IV. DETECTION Caché Database 5.x is affected. Older versions may be vulnerable as well. V. WORKAROUND Administrators can prevent exploitation by making file permissions more restrictive. This should prevent attackers from overwriting binaries or placing scripts in /cachesys/csp/user. VI. VENDOR FIX InterSystems provided an alert to its customer base that is viewable at http://www.intersystems.com/support/flash/index.html. In it, the company said that the installation defaults will be changed in Caché 4.1.16 and 5.0.3. VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification numbers to these issues: CAN-2003-0497 overwrite Caché using setud cuxs program CAN-2003-0498 code injection into /cachesys/csp VIII. DISCLOSURE TIMELINE 11 MAR 2003 First attack vector disclosed to iDEFENSE 18 APR 2003 Second attack vector disclosed to iDEFENSE 10 JUN 2003 Research Completed on Issues 10 JUN 2003 InterSystems Corporation notifed 11 JUN 2003 Response from David Shambroom of InterSystems 01 JUL 2003 Coordinated Public Disclosure IX. CREDIT Larry W. Cashdollar (lwc@vapid.ath.cx) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPwFrA/rkky7kqW5PEQInAACg+4f308YwrhJ8honIK5tFyAz4Fe8An2mP oo0XQnUmHaiPOM98pFIKow4n =lKCb -----END PGP SIGNATURE----- To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject.