flexbackup default config insecure temporary file creation

To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, koon@xxxxxxxxxx
Subject: flexbackup default config insecure temporary file creation
From: ZATAZ Audits <exploits@xxxxxxxxx>
Date: Mon, 17 Oct 2005 10:06:06 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: ZATAZ Audits
Reply-to: exploits@xxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.10) Gecko/20050716

#########################################################

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations dueto a default config.

They are symlink attacks to create arbitrary files with the privilegesof the user running the affected script, sensitive informationsdisclosure, possible local or remote arbitrary commands execution.


##########
Versions:
##########

flexbackup <= 1.2.1

##########
Solution:
##########

Change default config $tmpdir

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@xxxxxx) : 2005-09-30
Disclosure : 2005-10-15

#####################
Technical details :
#####################

Vulnerable code :
-----------------

* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conffile tmpdir is by default set to /tmp


5229     my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236     # Create a script which tests the buffer program
5237     open(SCR,"> $tmp_script") || die;
5238     print SCR "#!/bin/sh\n";
5239     print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240     print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241     print SCR "echo testme > \$tmp_data\n";
5242     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243     print SCR "res=\$?\n";
5244     print SCR "out=\`cat \$tmp_err\`\n";
5245     print SCR "if [ \$res -eq 0 ]; then\n";
5246     print SCR "   echo successful\n";
5247     print SCR "else\n";
5248     print SCR "   echo \"unsuccessful: exit code \$res: \$out\" \n";
5249     print SCR "fi\n";
5250     print SCR "rm -f \$tmp_data \$tmp_err\n";
5251     close(SCR);

Here we have possible symlink attack (race condition), and alsopossibility to create a untrusted script into the tmp_script (racecondition).

The script how is created is also vulnerable to possible symlink attack(race condition).


5253     if ($host eq 'localhost') {
5254         print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255         $pipecmd = "sh $tmp_script ";
5256     } else {
5257         print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258         $pipecmd =  "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script'        )";

We see here that the untrusted script could be executed on localhost orremote

host.

5446     my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447     my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448     my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possiblesymlink attack (race condition). By default in the conf file pad_blocksis true. No risk if no configuration modification.


359     if (defined($::pkgdelta)) {
360         if (defined($::local)) {
361             &list_packages('localhost');
362             &find_packaged_files('localhost');
363             &find_changed_files('localhost');
364         }
365         foreach my $host (keys %::remotehosts) {
366             &list_packages($host);
367             &find_packaged_files($host);
368             &find_changed_files($host);
369         }
370         $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371         &line();
372     }

Here we have possible symlink attack (race condition)

619     my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620     my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841         unlink($result);
842         open(SCR, "> $exitscript") || die;
843         print SCR '#!/bin/sh' . "\n";
844         print SCR '"$@"' . "\n";;
845         print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846         close(SCR);
847         chmod(0755, $exitscript);
848
849         push(@cmds, "[ ! -e $result ]");
850     }

This one is more difficult to race.


#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965

#####################
Credits :
#####################

Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.

Prev by Date: ie7 will have more mechanisms
Next by Date: [OpenPKG-SA-2005.022] OpenPKG Security Advisory (openssl)
Previous by thread: ie7 will have more mechanisms
Next by thread: [OpenPKG-SA-2005.022] OpenPKG Security Advisory (openssl)
Index(es):
- Date
- Thread