Teradata Studio Express Race Condition

Risk: Medium
Local: Yes
Remote: No
CWE: CWE-362

Ogólna skala CVSS: 7.2/10
Znaczenie: 10/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

Title: /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-03 Download Site: http://downloads.teradata.com/download/tools/teradata-studio-express Vendor: Teradata Vendor Notified: 2016-10-03 Vendor Contact: web form contact Description: Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP). Vulnerability: The installation script for TeradataStudioExpress. creates files in /tmp insecurely. A malicious local user could create a symlink in /tmp and possibly clobber system files or perhaps elevate privileges. $ grep -n "/tmp" studioexpressinstall 33:ASKDIRFILE=/tmp/sqlajeaskdir 41:DEF_TRACEFILE=/tmp/studioexinstall.log 44:TMP=/tmp 72:SQLAJEINPUTS=/tmp/studioexinputs 90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out 103:SQLAJEINSTALL=/tmp/studioexpressinstall 136: java -version > "/tmp/javaver" 2>&1 137: verstring=`grep "java version" /tmp/javaver` 143: jre64b=`grep "64-Bit" /tmp/javaver` 212:rm -f /tmp/javaver 341: tmptracefile=/tmp/studioexinstall.log.tmp #Temporary trace file. 588:touch /tmp/checkstudioexinstall 603:rm -f /tmp/checkstudioexinstall 604:rm -f /tmp/studioexinstall_rpmcmd.out CVE-ID: CVE-2016-7490 Export: JSON TEXT XML Exploit Code: aC/ $ ln -s /tmp/javaver /etc/passed Advisory: http://www.vapidlabs.com/advisory.php?v=174

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top