[40773] in bugtraq
flexbackup default config insecure temporary file creation
daemon@ATHENA.MIT.EDU (ZATAZ Audits)
Mon Oct 17 17:18:00 2005
Message-ID: <43535B6E.2050005@zataz.net>
Date: Mon, 17 Oct 2005 10:06:06 +0200
From: ZATAZ Audits <exploits@zataz.net>
Reply-To: exploits@zataz.net
MIME-Version: 1.0
To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com,
moderators@osvdb.org, bugs@securitytracker.com,
submissions@packetstormsecurity.org, news@securiteam.com,
xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk, koon@gentoo.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
#########################################################
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerabilities ared due to insecure temporary files creations due
to a default config.
They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.
##########
Versions:
##########
flexbackup <= 1.2.1
##########
Solution:
##########
Change default config $tmpdir
#########
Timeline:
#########
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@lst.de) : 2005-09-30
Disclosure : 2005-10-15
#####################
Technical details :
#####################
Vulnerable code :
-----------------
* In /etc/flexbackup.conf :
$tmpdir = '/tmp';
* Into flexbackup :
&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');
If tmpdir is not defined /tmp is used by default, but here into conf
file tmpdir is by default set to /tmp
5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";
5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);
Here we have possible symlink attack (race condition), and also
possibility to create a untrusted script into the tmp_script (race
condition).
The script how is created is also vulnerable to possible symlink attack
(race condition).
5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";
We see here that the untrusted script could be executed on localhost or
remote
host.
5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";
Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.
359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }
Here we have possible symlink attack (race condition)
619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";
841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, "[ ! -e $result ]");
850 }
This one is more difficult to race.
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
