lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43535B6E.2050005@zataz.net>
Date: Mon, 17 Oct 2005 10:06:06 +0200
From: ZATAZ Audits <exploits@...az.net>
To: vuldb@...urityfocus.com, vuln@...unia.com, vuln@...tik.com,
	moderators@...db.org, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, news@...uriteam.com,
	xforce@....net, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	full-disclosure@...ts.grok.org.uk, koon@...too.org
Subject: flexbackup default config insecure temporary file
	creation


#########################################################

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations due 
to a default config.

They are symlink attacks to create arbitrary files with the privileges 
of the user running the affected script, sensitive informations 
disclosure, possible local or remote arbitrary commands execution.

##########
Versions:
##########

flexbackup <= 1.2.1

##########
Solution:
##########

Change default config $tmpdir

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@....de) : 2005-09-30
Disclosure : 2005-10-15

#####################
Technical details :
#####################

Vulnerable code :
-----------------

* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf 
file tmpdir is by default set to /tmp

5229     my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236     # Create a script which tests the buffer program
5237     open(SCR,"> $tmp_script") || die;
5238     print SCR "#!/bin/sh\n";
5239     print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240     print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241     print SCR "echo testme > \$tmp_data\n";
5242     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243     print SCR "res=\$?\n";
5244     print SCR "out=\`cat \$tmp_err\`\n";
5245     print SCR "if [ \$res -eq 0 ]; then\n";
5246     print SCR "   echo successful\n";
5247     print SCR "else\n";
5248     print SCR "   echo \"unsuccessful: exit code \$res: \$out\" \n";
5249     print SCR "fi\n";
5250     print SCR "rm -f \$tmp_data \$tmp_err\n";
5251     close(SCR);

Here we have possible symlink attack (race condition), and also 
possibility to create a untrusted script into the tmp_script (race 
condition).

The script how is created is also vulnerable to possible symlink attack 
(race condition).

5253     if ($host eq 'localhost') {
5254         print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255         $pipecmd = "sh $tmp_script ";
5256     } else {
5257         print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258         $pipecmd =  "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script'        )";

We see here that the untrusted script could be executed on localhost or 
remote
host.

5446     my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447     my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448     my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible 
symlink attack (race condition). By default in the conf file pad_blocks 
is true. No risk if no configuration modification.

359     if (defined($::pkgdelta)) {
360         if (defined($::local)) {
361             &list_packages('localhost');
362             &find_packaged_files('localhost');
363             &find_changed_files('localhost');
364         }
365         foreach my $host (keys %::remotehosts) {
366             &list_packages($host);
367             &find_packaged_files($host);
368             &find_changed_files($host);
369         }
370         $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371         &line();
372     }

Here we have possible symlink attack (race condition)

619     my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620     my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841         unlink($result);
842         open(SCR, "> $exitscript") || die;
843         print SCR '#!/bin/sh' . "\n";
844         print SCR '"$@"' . "\n";;
845         print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846         close(SCR);
847         chmod(0755, $exitscript);
848
849         push(@cmds, "[ ! -e $result ]");
850     }

This one is more difficult to race.


#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965

#####################
Credits :
#####################

Eric Romang (eromang@...az.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ