lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <440DFAB7.4010007@securax.org>
Date: Tue Mar  7 21:27:28 2006
From: drfrancky at securax.org (Javor Ninov)
Subject: capi4hylafax insecure manipulation with tmp files

capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)

vulnerable:
capi4hylafax-01.03.00 /probably others/

in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
    dwarning (DebugSffDataFile == 0);
      if (!DebugSffDataFile) {
       DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
      }
#endif

in

and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
     dassert (DebugSffDataFile == 0);
     DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

vulnerable capi4hylafax-1.1a

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
    #define DEBUG_FILE_NAME             "/tmp/c2faxfcalls.log"

then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
    DebugFileClose();
    hFile = fopen (DEBUG_FILE_NAME, "w");
    return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
    if (hFile) {
        fprintf (hFile, string);
        fflush (hFile);
    }
    printf (string);
}

impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file

!!! VENDOR IS NOT NOTIFIED !!!

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060307/b2ed39a9/signature.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ