[UNIX] Rsnapshot chown() Follow Symlink Bug

• Previous message: SecuriTeam: "[UNIX] Kmail HTML Support Allows Spoofing of Emails' Content"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Apr 2005 16:25:17 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Rsnapshot chown() Follow Symlink Bug
------------------------------------------------------------------------

SUMMARY

 <http://www.rsnapshot.org/security/> rsnapshot is "a filesystem snapshot
utility for making backups of local and remote systems. Using rsync and
hard links, it is possible to keep multiple, full backups instantly
available. The disk space required is just a little more than the space of
one full backup, plus incremental".

The copy_symlink() subroutine in rsnapshot incorrectly changes file
ownership on the files pointed to by symlinks, not on the symlinks
themselves. This would allow, under certain circumstances, an arbitrary
user to take ownership of a file on the main filesystem.

DETAILS

Vulnerable Systems:
 * rsnapshot version 1.1.6 and prior
 * rsnapshot version 1.2.0

Immune Systems:
 * rsnapshot version 1.1.7 or newer
 * rsnapshot version 1.2.1 or newer

The copy_symlink() subroutine is called under the following circumstances:
a) If the cmd_cp parameter has NOT been enabled, OR

b) If the backup_script parameter is set, and the backup script generates
symlinks as part of its output

c) AND if the attacker can create symlinks in a directory that is backed
up, either by creating them directly or influencing a backup script.

This vulnerability has been fixed in rsnapshot versions 1.1.7 and 1.2.1.
It is recommended that all users upgrade immediately.

Upgrade Instructions:
For users of rsnapshot 1.2.0, download and install version 1.2.1.

For users of rsnapshot 1.1.6 or earlier, download and install version
1.1.7.

  ---------------
  rsnapshot 1.2.1
  ---------------
   <http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz>
http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz
   <http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz.asc>
http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz.asc

   <http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm>
http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm
   <http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm.asc>
http://www.rsnapshot.org/downloads/rsnapshot-1.2.1-1.noarch.rpm.asc

   <http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb>
http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb
   <http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb.asc>
http://www.rsnapshot.org/downloads/rsnapshot_1.2.1-1_all.deb.asc

  ---------------
  rsnapshot 1.1.7
  ---------------
   <http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz>
http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz
   <http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz.asc>
http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz.asc

   <http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm>
http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm
   <http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm.asc>
http://www.rsnapshot.org/downloads/rsnapshot-1.1.7-1.noarch.rpm.asc

   <http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb>
http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb
   <http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb.asc>
http://www.rsnapshot.org/downloads/rsnapshot_1.1.7-1_all.deb.asc

Workarounds:
Enable the cmd_cp parameter (requires GNU cp, and works best on Linux).
Make sure any scripts specified by the backup_script parameter do not
create symlinks.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@rsnapshot.org>
rsnapshot Security.
The original article can be found at:
<http://www.rsnapshot.org/security/2005/001.html>
http://www.rsnapshot.org/security/2005/001.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Kmail HTML Support Allows Spoofing of Emails' Content"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] rsnapshot Security Advisory 001 ... space of one full backup, ... The copy_symlinksubroutine in rsnapshot incorrectly changes file ... ownership on the files pointed to by symlinks, ... (Full-Disclosure) rsnapshot Security Advisory 001 ... space of one full backup, ... The copy_symlinksubroutine in rsnapshot incorrectly changes file ... ownership on the files pointed to by symlinks, ... (Bugtraq) [EXPL] PHP-Fusion Accessible Database Backups Download (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.php-fusion.co.uk/> PHP-Fusion is a light-weight open-source ... By guessing the year-month-day of a database backup file and the random ... (Securiteam)