| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Mar 7 21:27:28 2006
From: drfrancky at securax.org (Javor Ninov)
Subject: capi4hylafax insecure manipulation with tmp files
capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)
vulnerable:
capi4hylafax-01.03.00 /probably others/
in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :
#ifdef GENERATE_DEBUGSFFDATAFILE
dwarning (DebugSffDataFile == 0);
if (!DebugSffDataFile) {
DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
}
#endif
in
and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :
#ifdef GENERATE_DEBUGSFFDATAFILE
dassert (DebugSffDataFile == 0);
DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif
vulnerable capi4hylafax-1.1a
in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
#define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log"
then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
DebugFileClose();
hFile = fopen (DEBUG_FILE_NAME, "w");
return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
if (hFile) {
fprintf (hFile, string);
fflush (hFile);
}
printf (string);
}
impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file
!!! VENDOR IS NOT NOTIFIED !!!
Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060307/b2ed39a9/signature.bin
Powered by blists - more mailing lists