lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42A7FB22.9000008@zataz.net>
Date: Thu, 09 Jun 2005 10:17:38 +0200
From: ZATAZ Audits <exploits@...az.net>
To: vuldb@...urityfocus.com, vuln@...unia.com, vuln@...tik.com,
	moderators@...db.org, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, news@...uriteam.com,
	xforce@....net, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	full-disclosure@...ts.grok.org.uk
Cc: Eric Romang <eromang@...az.net>
Subject: xmysqladmin insecure temporary file creation


#########################################################

xmysqladmin insecure temporary file creation

Vendor:  Gilbert Therrien gilbert@...n.net or mysql@....se
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)

During the drop off a database, xmysqladmin drop the database and create 
a tar.gz
inside /tmp without checking if the file exist already.

The exploitation require that the malicious local user no wich database
gonna be deleted.

##########
Versions:
##########

xmysqladmin <= 1.0

##########
Solution:
##########

In Makefile :

BACKUPDIR = .

I think that upstream should check if the file already exist or not 
before creating it.

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure :  2005-05-29

#####################
Technical details :
#####################

Vulnerable code :
-----------------

In Makefile :

BACKUPDIR = /tmp

In createDropDB.c : begin line 94

void dropdb_drop(FL_OBJECT *obj, long data)
{
   char *cmd;

   if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo 
you want to continue?", 0))
         return;
   if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre 
you sure?", 0))
         return;

   cmd = (char *) malloc(2048);
   if(!cmd) return;

   sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR, 
g_dropdb_dbfname,
           BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

   fl_show_command_log(FL_TRANSIENT);
   fl_exe_command(cmd, 1);
   free(cmd);

   {
     MYSQL connection;
     if(g_mysql_connect(&connection, Setup.host, Setup.user, 
Setup.password))
     {
       if(mysql_drop_db(&connection, g_dropdb_dbfname))
         {
           fl_show_alert(mysql_error(&connection),"","",0);
         }
       else
         {
           fl_show_message("The database",g_dropdb_dbfname,"has been 
destroyed");
         }

       mysql_close(&connection);
     }
     else
       {
           fl_show_alert("Cannot connect to server","","",0);
       }
   }

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

#####################
Credits :
#####################

Eric Romang (eromang@...az.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ