SecuriTeam - SNAP Innovation's PrimeBase Database Default File Permissions and Symlinks Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

The PrimeBase Database Server is "a relational Database Management System (DBMS) for Mac, UNIX and Windows platforms. The PrimeBase Database Server supports all common database access standards (PBT, SQL, ODBC, JDBC, PHP, Perl, RealBasic, EOF and DAL) and protocols (TCP/IP, Shared Memory and Appletalk)".

Two security vulnerabilities have been found in the product allowing local users to overwrite local files.

Credit:
The information has been provided by Larry W. Cashdollar.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* SNAP Innovation's PrimeBase Database version 4.2 (PrimeBase Data Server Build 4212)

Poor use of temporary files during installation
Larry noticed the PrimeBase install script creates the following files in /tmp:
[nobody $] ln -s /etc/shadow /tmp/PrimeBase.log

Then if a malicious user has previous knowledge of the administrator's installation of PrimeBase the contents of /etc/shadow will be overwritten with the contents of PrimeBase.log.

LOG="/tmp/PrimeBase.log"
echo "$str:[y/n]" | tee $LOG
echo "PrimeBase Installation: $now" >> $LOG

Poor default file permissions
A malicious local user could manipulate the binaries for PrimeBase used by the administrator and execute arbitrary code. The attacker would need to wait until the Database was restarted or the system rebooted.
root@Fester local]# ls -ld /usr/local/primebase
drwxrwxrwx 6 root root 4096 Sep 1 13:57 primebase

These types of vulnerabilities seem to be common with the database crowd.

Impact:
Local attackers can exploit these vulnerabilities to clobber root owned system files and modify software binaries. This could possibly lead to a denial of service or system compromise.

Workaround:
Temporary file vulnerability
Boot the system into single user mode only and ensure no other users are logged in during installation.

Default file permissions
Change directories to more restrictive ownerships (untested).

Disclosure timeline:
9/16/2003 Issue disclosed to Vendor.
9/26/2003 Response from Vendor, next version will be fixed.

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution