Acushop SalesBuilder Possible Root Compromise Vulnerability

Acushop SalesBuilder is an E-Commerce package from Acushop. It is included as a demo in the Red Hat Linux 6.0 Applications CD.

The startup file .sbstart linked from /usr/bin/salesbuilder and /usr/local/bin/salesbuilder is set world writable. This allows attackers to modify the file and add malicious commands which could lead to a local root compromise.

.sbstart can be found in /usr/local/bin/acushop/. If this application was installed as root, .sbstart will have the following permissions:

-rwxrwxrwx 1 root root 163 Jun 29 19:45 .sbstart

Being fully writeable and executable by anyone, an example of what a malicious user could add to the file is below:

echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd

They would then wait for root to start salesbuilder and have their malicious commands executed.


Privacy Statement
Copyright 2010, SecurityFocus