COMMAND

    SalesBuilder

SYSTEMS AFFECTED

    All systems running Acushop SalesBuilder.

PROBLEM

    Following is  based on  Digital Security  for Y2K  Advisory.  This
    bug was  discovered installing  software from  the application  cd
    shipped with RedHat Linux 6.0 as root.  The startup file  .sbstart
    linked from /usr/bin/salesbuilder and  /usr/local/bin/salesbuilder
    is set world writable  so anyone can add  code to it and  possibly
    get root locally. .sbstart can be found (after installing it  from
    RedHat  application  cd)  at  /usr/local/bin/acushop/.sbstart.  If
    this  application  was  installed  as  root  you  will  see   this
    permission set:

        -rwxrwxrwx   1 root     root          163 Jun 29 19:45 .sbstart

    Seems it can be executed and write by everyone. Someone can simply
    add a line line echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd  or
    make a script executed with root uid and gid.  Note that this file
    is set hidden using .  as prefix so modifications are  really hard
    to discover from a not-so expert system administrator.

    How to exploit?  Just edit the file with a normal text editor like
    vi, joe, pico or emacs and add a line like:

        echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd

    Of course there  are many ways  to get this  hole usable, you  can
    figure out how.

SOLUTION

    Possible fix is to  install this software not  as root, and if  it
    necessary do  not set  it world  writable. Acushop  was advised of
    this vulnerability but seemed not really interested in security.