| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42A7FB22.9000008@zataz.net>
Date: Thu Jun 9 10:49:01 2005
From: exploits at zataz.net (ZATAZ Audits)
Subject: xmysqladmin insecure temporary file creation
#########################################################
xmysqladmin insecure temporary file creation
Vendor: Gilbert Therrien gilbert@...n.net or mysql@....se
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)
During the drop off a database, xmysqladmin drop the database and create
a tar.gz
inside /tmp without checking if the file exist already.
The exploitation require that the malicious local user no wich database
gonna be deleted.
##########
Versions:
##########
xmysqladmin <= 1.0
##########
Solution:
##########
In Makefile :
BACKUPDIR = .
I think that upstream should check if the file already exist or not
before creating it.
To prevent symlink attack use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure : 2005-05-29
#####################
Technical details :
#####################
Vulnerable code :
-----------------
In Makefile :
BACKUPDIR = /tmp
In createDropDB.c : begin line 94
void dropdb_drop(FL_OBJECT *obj, long data)
{
char *cmd;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
you want to continue?", 0))
return;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
you sure?", 0))
return;
cmd = (char *) malloc(2048);
if(!cmd) return;
sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
g_dropdb_dbfname,
BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);
fl_show_command_log(FL_TRANSIENT);
fl_exe_command(cmd, 1);
free(cmd);
{
MYSQL connection;
if(g_mysql_connect(&connection, Setup.host, Setup.user,
Setup.password))
{
if(mysql_drop_db(&connection, g_dropdb_dbfname))
{
fl_show_alert(mysql_error(&connection),"","",0);
}
else
{
fl_show_message("The database",g_dropdb_dbfname,"has been
destroyed");
}
mysql_close(&connection);
}
else
{
fl_show_alert("Cannot connect to server","","",0);
}
}
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792
#####################
Credits :
#####################
Eric Romang (eromang@...az.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
Powered by blists - more mailing lists