Acushop SalesBuilder Possible Root Compromise Vulnerability
Acushop SalesBuilder is an E-Commerce package from Acushop. It is included as a demo in the Red Hat Linux 6.0 Applications CD.
The startup file .sbstart linked from /usr/bin/salesbuilder and /usr/local/bin/salesbuilder is set world writable. This allows attackers to modify the file and add malicious commands which could lead to a local root compromise.
.sbstart can be found in /usr/local/bin/acushop/. If this application was installed as root, .sbstart will have the following permissions:
-rwxrwxrwx 1 root root 163 Jun 29 19:45 .sbstart
Being fully writeable and executable by anyone, an example of what a malicious user could add to the file is below:
echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd
They would then wait for root to start salesbuilder and have their malicious commands executed.