lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Mar 7 21:27:28 2006 From: drfrancky at securax.org (Javor Ninov) Subject: capi4hylafax insecure manipulation with tmp files capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is addon for hylafax fax server (http://www.hylafax.org/) vulnerable: capi4hylafax-01.03.00 /probably others/ in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp : #ifdef GENERATE_DEBUGSFFDATAFILE dwarning (DebugSffDataFile == 0); if (!DebugSffDataFile) { DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w"); } #endif in and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp : #ifdef GENERATE_DEBUGSFFDATAFILE dassert (DebugSffDataFile == 0); DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w"); #endif vulnerable capi4hylafax-1.1a in capi4hylafax-1.1a/src/standard/ExtFuncs.h : #define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log" then in capi4hylafax-1.1a/src/standard/DbgFile.c: unsigned DebugFileOpen (void) { DebugFileClose(); hFile = fopen (DEBUG_FILE_NAME, "w"); return (hFile != 0); } <snip> void DebugFilePrint (char *string) { if (hFile) { fprintf (hFile, string); fflush (hFile); } printf (string); } impact: a regular user of the system can create a symbolic link to file on which hylafax has write access leading to overwriting of this file !!! VENDOR IS NOT NOTIFIED !!! Javor Ninov aka DrFrancky drfrancky shift+2 securax.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060307/b2ed39a9/signature.bin
Powered by blists - more mailing lists