[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnWatch] xmysqladmin insecure temporary file creation

To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [VulnWatch] xmysqladmin insecure temporary file creation
From: ZATAZ Audits <exploits@xxxxxxxxx>
Date: Thu, 09 Jun 2005 10:17:38 +0200

#########################################################

xmysqladmin insecure temporary file creation

Vendor:  Gilbert Therrien gilbert@xxxxxxxx or mysql@xxxxxx
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)

During the drop off a database, xmysqladmin drop the database and create a tar.gz inside /tmp without checking if the file exist already.

The exploitation require that the malicious local user no wich database
gonna be deleted.

##########
Versions:
##########

xmysqladmin <= 1.0

##########
Solution:
##########

In Makefile :

BACKUPDIR = .

I think that upstream should check if the file already exist or not before creating it.

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure :  2005-05-29

#####################
Technical details :
#####################

Vulnerable code :
-----------------

In Makefile :

BACKUPDIR = /tmp

In createDropDB.c : begin line 94

void dropdb_drop(FL_OBJECT *obj, long data)
{
  char *cmd;

if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo you want to continue?", 0)) return; if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre you sure?", 0)) return;

  cmd = (char *) malloc(2048);
  if(!cmd) return;

sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR, g_dropdb_dbfname, BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

  fl_show_command_log(FL_TRANSIENT);
  fl_exe_command(cmd, 1);
  free(cmd);

{ MYSQL connection; if(g_mysql_connect(&connection, Setup.host, Setup.user, Setup.password)) { if(mysql_drop_db(&connection, g_dropdb_dbfname)) { fl_show_alert(mysql_error(&connection),"","",0); } else { fl_show_message("The database",g_dropdb_dbfname,"has been destroyed"); }

      mysql_close(&connection);
    }
    else
      {
          fl_show_alert("Cannot connect to server","","",0);
      }
  }

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

#####################
Credits :
#####################

Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)

Prev by Date: [VulnWatch] leafnode security announcement leafnode-SA-2005-02 (CAN-2005-1911)
Next by Date: [VulnWatch] [CIRT.DK - Advisory] Novell iManager 2.0.2 ASN.1 Parsing vulnerability in Apache module
Previous by thread: [VulnWatch] leafnode security announcement leafnode-SA-2005-02 (CAN-2005-1911)
Next by thread: [VulnWatch] [CIRT.DK - Advisory] Novell iManager 2.0.2 ASN.1 Parsing vulnerability in Apache module
Index(es):
- Date
- Thread