[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
flexbackup default config insecure temporary file creation
- To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, koon@xxxxxxxxxx
- Subject: flexbackup default config insecure temporary file creation
- From: ZATAZ Audits <exploits@xxxxxxxxx>
- Date: Mon, 17 Oct 2005 10:06:06 +0200
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
The vulnerabilities ared due to insecure temporary files creations due
to a default config.
They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.
flexbackup <= 1.2.1
Change default config $tmpdir
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@xxxxxx) : 2005-09-30
Disclosure : 2005-10-15
Technical details :
Vulnerable code :
* In /etc/flexbackup.conf :
$tmpdir = '/tmp';
* Into flexbackup :
If tmpdir is not defined /tmp is used by default, but here into conf
file tmpdir is by default set to /tmp
5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";
5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);
Here we have possible symlink attack (race condition), and also
possibility to create a untrusted script into the tmp_script (race
The script how is created is also vulnerable to possible symlink attack
(race condition).
5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";
We see here that the untrusted script could be executed on localhost or
5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";
Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.
359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }
Here we have possible symlink attack (race condition)
619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";
841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
849 push(@cmds, "[ ! -e $result ]");
850 }
This one is more difficult to race.
Related :
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965
Credits :
Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.