xmysqladmin insecure temporary file creation
- To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: xmysqladmin insecure temporary file creation
- From: ZATAZ Audits <exploits@xxxxxxxxx>
- Date: Thu, 09 Jun 2005 10:17:38 +0200
- Cc: Eric Romang <eromang@xxxxxxxxx>
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Organization: ZATAZ Audits
- Reply-to: exploits@xxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.8) Gecko/20050511
#########################################################
xmysqladmin insecure temporary file creation
Vendor: Gilbert Therrien gilbert@xxxxxxxx or mysql@xxxxxx
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)
During the drop off a database, xmysqladmin drop the database and create
a tar.gz
inside /tmp without checking if the file exist already.
The exploitation require that the malicious local user no wich database
gonna be deleted.
##########
Versions:
##########
xmysqladmin <= 1.0
##########
Solution:
##########
In Makefile :
BACKUPDIR = .
I think that upstream should check if the file already exist or not
before creating it.
To prevent symlink attack use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure : 2005-05-29
#####################
Technical details :
#####################
Vulnerable code :
-----------------
In Makefile :
BACKUPDIR = /tmp
In createDropDB.c : begin line 94
void dropdb_drop(FL_OBJECT *obj, long data)
{
char *cmd;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
you want to continue?", 0))
return;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
you sure?", 0))
return;
cmd = (char *) malloc(2048);
if(!cmd) return;
sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
g_dropdb_dbfname,
BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);
fl_show_command_log(FL_TRANSIENT);
fl_exe_command(cmd, 1);
free(cmd);
{
MYSQL connection;
if(g_mysql_connect(&connection, Setup.host, Setup.user,
Setup.password))
{
if(mysql_drop_db(&connection, g_dropdb_dbfname))
{
fl_show_alert(mysql_error(&connection),"","",0);
}
else
{
fl_show_message("The database",g_dropdb_dbfname,"has been
destroyed");
}
mysql_close(&connection);
}
else
{
fl_show_alert("Cannot connect to server","","",0);
}
}
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792
#####################
Credits :
#####################
Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)