[39109] in bugtraq
xmysqladmin insecure temporary file creation
daemon@ATHENA.MIT.EDU (ZATAZ Audits)
Thu Jun 9 14:03:31 2005
Message-ID: <42A7FB22.9000008@zataz.net>
Date: Thu, 09 Jun 2005 10:17:38 +0200
From: ZATAZ Audits <exploits@zataz.net>
Reply-To: exploits@zataz.net
MIME-Version: 1.0
To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com,
moderators@osvdb.org, bugs@securitytracker.com,
submissions@packetstormsecurity.org, news@securiteam.com,
xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Cc: Eric Romang <eromang@zataz.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
#########################################################
xmysqladmin insecure temporary file creation
Vendor: Gilbert Therrien gilbert@ican.net or mysql@tcx.se
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)
During the drop off a database, xmysqladmin drop the database and create
a tar.gz
inside /tmp without checking if the file exist already.
The exploitation require that the malicious local user no wich database
gonna be deleted.
##########
Versions:
##########
xmysqladmin <= 1.0
##########
Solution:
##########
In Makefile :
BACKUPDIR = .
I think that upstream should check if the file already exist or not
before creating it.
To prevent symlink attack use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure : 2005-05-29
#####################
Technical details :
#####################
Vulnerable code :
-----------------
In Makefile :
BACKUPDIR = /tmp
In createDropDB.c : begin line 94
void dropdb_drop(FL_OBJECT *obj, long data)
{
char *cmd;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
you want to continue?", 0))
return;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
you sure?", 0))
return;
cmd = (char *) malloc(2048);
if(!cmd) return;
sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
g_dropdb_dbfname,
BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);
fl_show_command_log(FL_TRANSIENT);
fl_exe_command(cmd, 1);
free(cmd);
{
MYSQL connection;
if(g_mysql_connect(&connection, Setup.host, Setup.user,
Setup.password))
{
if(mysql_drop_db(&connection, g_dropdb_dbfname))
{
fl_show_alert(mysql_error(&connection),"","",0);
}
else
{
fl_show_message("The database",g_dropdb_dbfname,"has been
destroyed");
}
mysql_close(&connection);
}
else
{
fl_show_alert("Cannot connect to server","","",0);
}
}
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
