xmysqladmin insecure temporary file creation

From: ZATAZ Audits (exploits_at_zataz.net)
Date: 06/09/05

  • Next message: Anders Henke: "Re: `tattle` -- automatic reporting of SSH brute-force attacks"
    Date: Thu, 09 Jun 2005 10:17:38 +0200
    To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, moderators@osvdb.org, bugs@securitytracker.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk
    
    

    #########################################################

    xmysqladmin insecure temporary file creation

    Vendor: Gilbert Therrien gilbert@ican.net or mysql@tcx.se
    Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
    Vendor informed: yes
    Exploit available: yes
    Impact : low
    Exploitation : low

    #########################################################

    xmysqladmin contain a security flaw wich could allow a malicious
    local user to delete arbitrary files with the right off the user
    how use xmysqladmin or to get sensible informations
    (content off a database)

    During the drop off a database, xmysqladmin drop the database and create
    a tar.gz
    inside /tmp without checking if the file exist already.

    The exploitation require that the malicious local user no wich database
    gonna be deleted.

    ##########
    Versions:
    ##########

    xmysqladmin <= 1.0

    ##########
    Solution:
    ##########

    In Makefile :

    BACKUPDIR = .

    I think that upstream should check if the file already exist or not
    before creating it.

    To prevent symlink attack use kernel patch such as grsecurity

    #########
    Timeline:
    #########

    Discovered : 2005-05-24
    Vendor notified : 2005-05-29
    Vendor response : no reponse
    Vendor fix : no fix
    Disclosure : 2005-05-29

    #####################
    Technical details :
    #####################

    Vulnerable code :
    -----------------

    In Makefile :

    BACKUPDIR = /tmp

    In createDropDB.c : begin line 94

    void dropdb_drop(FL_OBJECT *obj, long data)
    {
       char *cmd;

       if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
    you want to continue?", 0))
             return;
       if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
    you sure?", 0))
             return;

       cmd = (char *) malloc(2048);
       if(!cmd) return;

       sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
    g_dropdb_dbfname,
               BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

       fl_show_command_log(FL_TRANSIENT);
       fl_exe_command(cmd, 1);
       free(cmd);

       {
         MYSQL connection;
         if(g_mysql_connect(&connection, Setup.host, Setup.user,
    Setup.password))
         {
           if(mysql_drop_db(&connection, g_dropdb_dbfname))
             {
               fl_show_alert(mysql_error(&connection),"","",0);
             }
           else
             {
               fl_show_message("The database",g_dropdb_dbfname,"has been
    destroyed");
             }

           mysql_close(&connection);
         }
         else
           {
               fl_show_alert("Cannot connect to server","","",0);
           }
       }

    #########
    Related :
    #########

    Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

    #####################
    Credits :
    #####################

    Eric Romang (eromang@zataz.net - ZATAZ Audit)
    Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)


  • Next message: Anders Henke: "Re: `tattle` -- automatic reporting of SSH brute-force attacks"