[VulnWatch] flexbackup default config insecure temporary file creation

From: ZATAZ Audits (exploits_at_zataz.net)
Date: 10/17/05

  • Next message: Chris Wysopal: "[VulnWatch] back orifice and snort - two words not to be used together"
    Date: Mon, 17 Oct 2005 10:06:06 +0200
    To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, moderators@osvdb.org, bugs@securitytracker.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk, koon@gentoo.org
    
    

    #########################################################

    flexbackup default config insecure temporary file creation

    Vendor: http://flexbackup.sourceforge.net/
    Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
    Vendor informed: yes
    Exploit available: yes
    Impact : low
    Exploitation : low

    #########################################################

    The vulnerabilities ared due to insecure temporary files creations due
    to a default config.

    They are symlink attacks to create arbitrary files with the privileges
    of the user running the affected script, sensitive informations
    disclosure, possible local or remote arbitrary commands execution.

    ##########
    Versions:
    ##########

    flexbackup <= 1.2.1

    ##########
    Solution:
    ##########

    Change default config $tmpdir

    #########
    Timeline:
    #########

    Discovered : 2005-09-06
    Vendor notified : 2005-09-19
    Vendor response : none
    Vendor fix : none
    Vendor Sec report (vendor-sec@lst.de) : 2005-09-30
    Disclosure : 2005-10-15

    #####################
    Technical details :
    #####################

    Vulnerable code :
    -----------------

    * In /etc/flexbackup.conf :

    $tmpdir = '/tmp';

    * Into flexbackup :

    &checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

    If tmpdir is not defined /tmp is used by default, but here into conf
    file tmpdir is by default set to /tmp

    5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

    5236 # Create a script which tests the buffer program
    5237 open(SCR,"> $tmp_script") || die;
    5238 print SCR "#!/bin/sh\n";
    5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
    5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
    5241 print SCR "echo testme > \$tmp_data\n";
    5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
    5243 print SCR "res=\$?\n";
    5244 print SCR "out=\`cat \$tmp_err\`\n";
    5245 print SCR "if [ \$res -eq 0 ]; then\n";
    5246 print SCR " echo successful\n";
    5247 print SCR "else\n";
    5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
    5249 print SCR "fi\n";
    5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
    5251 close(SCR);

    Here we have possible symlink attack (race condition), and also
    possibility to create a untrusted script into the tmp_script (race
    condition).

    The script how is created is also vulnerable to possible symlink attack
    (race condition).

    5253 if ($host eq 'localhost') {
    5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
    5255 $pipecmd = "sh $tmp_script ";
    5256 } else {
    5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
    5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
    $tmp_script; sh $tmp_script; rm -f $tmp_script' )";

    We see here that the untrusted script could be executed on localhost or
    remote
    host.

    5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
    5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
    5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

    Here the $cfg::pad_blocks should be false to exploit the possible
    symlink attack (race condition). By default in the conf file pad_blocks
    is true. No risk if no configuration modification.

    359 if (defined($::pkgdelta)) {
    360 if (defined($::local)) {
    361 &list_packages('localhost');
    362 &find_packaged_files('localhost');
    363 &find_changed_files('localhost');
    364 }
    365 foreach my $host (keys %::remotehosts) {
    366 &list_packages($host);
    367 &find_packaged_files($host);
    368 &find_changed_files($host);
    369 }
    370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
    371 &line();
    372 }

    Here we have possible symlink attack (race condition)

    619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
    620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

    841 unlink($result);
    842 open(SCR, "> $exitscript") || die;
    843 print SCR '#!/bin/sh' . "\n";
    844 print SCR '"$@"' . "\n";;
    845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
    846 close(SCR);
    847 chmod(0755, $exitscript);
    848
    849 push(@cmds, "[ ! -e $result ]");
    850 }

    This one is more difficult to race.

    #########
    Related :
    #########

    Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
    CVE : CAN-2005-2965

    #####################
    Credits :
    #####################

    Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
    Thxs to Gentoo Security Team.


  • Next message: Chris Wysopal: "[VulnWatch] back orifice and snort - two words not to be used together"

    Relevant Pages

    • [Full-disclosure] flexbackup default config insecure temporary file creation
      ... flexbackup default config insecure temporary file creation ... to a default config. ... Vendor notified: 2005-09-19 ... Here we have possible symlink attack (race condition), ...
      (Full-Disclosure)
    • flexbackup default config insecure temporary file creation
      ... flexbackup default config insecure temporary file creation ... to a default config. ... Vendor notified: 2005-09-19 ... Here we have possible symlink attack (race condition), ...
      (Bugtraq)
    • Re: Will This work ?
      ... Windows XP Media Center Edition MVP ... > i bought a machine from a vendor. ... to move up to the 64 bit athlon or a dual p4 xeon machine.....i know that xp ... pro works with either config but i am new to media center.... ...
      (microsoft.public.windows.mediacenter)