[UNIX] Flexbackup Default Config Insecure Temporary File Creation

From: SecuriTeam (support_at_securiteam.com)
Date: 10/20/05

  • Next message: SecuriTeam: "[NEWS] Gecko Based Browsers Multiple DoS Vulnerabilities (parsererror, sourcetext, style***)" 
    To: list@securiteam.com
Date: 20 Oct 2005 19:03:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Flexbackup Default Config Insecure Temporary File Creation
    ------------------------------------------------------------------------

    SUMMARY

    " <http://flexbackup.sourceforge.net/> Flexible backup tool for small to
    medium sized installations. Flexbackup is a flexible backup tool that
    works well for small to medium sized tasks for which solutions like amanda
    are overkill."

    Lack of random temporary file name by flexbackup, allows local attackers
    to execute arbitrary programs with the privileges of other users of the
    flexbackup program.

    DETAILS

    Vulnerable Systems:
     * flexbackup version 1.2.1 and prior

    flexbackup is vulnerable to symlink attacks allowing local attackers to
    create arbitrary files with the privileges of the user running the
    affected script. This in turn could cause information disclosure, possible
    local or even remote arbitrary commands execution.

    Vulnerable Code:
     * In /etc/flexbackup.conf :

    $tmpdir = '/tmp';

     * Into flexbackup :

    &checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

    If tmpdir is not defined /tmp is used by default, but here into conf file
    tmpdir is by default set to /tmp

    5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

    5236 # Create a script which tests the buffer program
    5237 open(SCR,"> $tmp_script") || die;
    5238 print SCR "#!/bin/sh\n";
    5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
    5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
    5241 print SCR "echo testme > \$tmp_data\n";
    5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
    5243 print SCR "res=\$?\n";
    5244 print SCR "out=\`cat \$tmp_err\`\n";
    5245 print SCR "if [ \$res -eq 0 ]; then\n";
    5246 print SCR " echo successful\n";
    5247 print SCR "else\n";
    5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
    5249 print SCR "fi\n";
    5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
    5251 close(SCR);

    A possible symlink attack (race condition) exists on this code that is
    also possible to create a untrusted script into the tmp_script (race
    condition).

    The script how is created is also vulnerable to possible symlink attack
    (race condition).

    5253 if ($host eq 'localhost') {
    5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
    5255 $pipecmd = "sh $tmp_script ";
    5256 } else {
    5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
    5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
    $tmp_script; sh $tmp_script; rm -f $tmp_script' )";

    Untrusted script could be executed on localhost or remote host.

    5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
    5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
    5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

    Here the $cfg::pad_blocks should be false to exploit the possible symlink
    attack (race condition). By default in the conf file pad_blocks is true.
    No risk if no configuration modification.

    359 if (defined($::pkgdelta)) {
    360 if (defined($::local)) {
    361 &list_packages('localhost');
    362 &find_packaged_files('localhost');
    363 &find_changed_files('localhost');
    364 }
    365 foreach my $host (keys %::remotehosts) {
    366 &list_packages($host);
    367 &find_packaged_files($host);
    368 &find_changed_files($host);
    369 }
    370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
    371 &line();
    372 }

    A possible symlink attack (race condition)

    619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
    620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

    841 unlink($result);
    842 open(SCR, "> $exitscript") || die;
    843 print SCR '#!/bin/sh' . "\n";
    844 print SCR '"$@"' . "\n";;
    845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
    846 close(SCR);
    847 chmod(0755, $exitscript);
    848
    849 push(@cmds, "[ ! -e $result ]");
    850 }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:exploits@zataz.net> ZATAZ
    Audits.
    The original article can be found at:
    <http://www.zataz.net/adviso/flexbackup-09192005.txt>
    http://www.zataz.net/adviso/flexbackup-09192005.txt
    Gentoo Bug Report can be found at:
    <http://bugs.gentoo.org/show_bug.cgi?id=105000>
    http://bugs.gentoo.org/show_bug.cgi?id=105000

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Gecko Based Browsers Multiple DoS Vulnerabilities (parsererror, sourcetext, style***)"
    • Quantcast