Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16248
HistoryMar 04, 2007 - 12:00 a.m.

BONUS-06-2007:Zend Platform Insecure File Permission Local Root Vulnerability

2007-03-0400:00:00
vulners.com
5
JSON

Summary

Several binaries and shellscripts installed by the Zend Platform come with insecure file permissions. Certain files are incorrectly owned by the Web server user or owned by the user account, who installed the Zend Platform.

By compromisng the web server account through for example one of the MOPB exploits or by compromising the user account that installed Zend Platform, an attacker is able to elevate his privileges by replacing or editing the files, which will run with root privileges on the next server restart.
Affected versions

Affected is Zend Platform <= 2.2.3
Detailed information

No details needed.
Proof of concept, exploit or instructions to reproduce

On a system using mod_php where safe_mode and open_basedir are not activated you can for example directly edit /usr/local/Zend/bin/scd.sh which is the startup script for the Zend session managment daemon. Insert any command you want and restart the webserver. The inserted commands will be executed with root permissions.

If the system has safe_mode and open_basedir activated, just use one of the local vulnerabilities that will be disclosed during this month.
Notes

This issue was disclosed to Zend at the end of January 2007. Meanwhile Zend provides instructions how to fix the file permissions on their site. However their recommendation is to upgrade to Zend Platform 3.0.

JSON