[UNIX] capi4hylafax Insecure Files Manipulation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



capi4hylafax Insecure Files Manipulation
------------------------------------------------------------------------


SUMMARY

capi4hylafax is an addons for hylafax that implement the CAPI protocol.

capi4hylafax does not create a random name for a temporary file, allowing
attackers to rewrite content using a symbolic link attack.

DETAILS

Vulnerable Systems:
* capi4hylafax version 01.03.00

By using static temporary file names, attackers may create a symbolic link
to an existed file on the system, making capi4hylafax rewrite the file
content.

Code Snips:
in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :
#ifdef GENERATE_DEBUGSFFDATAFILE
dwarning (DebugSffDataFile == 0);
if (!DebugSffDataFile) {
DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
}
#endif

in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :
#ifdef GENERATE_DEBUGSFFDATAFILE
dassert (DebugSffDataFile == 0);
DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
#define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log"

in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
DebugFileClose();
hFile = fopen (DEBUG_FILE_NAME, "w");
return (hFile != 0);
}
..
void DebugFilePrint (char *string) {
if (hFile) {
fprintf (hFile, string);
fflush (hFile);
}
printf (string);
}

A regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file.


ADDITIONAL INFORMATION

The information has been provided by <mailto:drfrancky@xxxxxxxxxxx> Javor
Ninov.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.