xmysqladmin insecure temporary file creation

From: ZATAZ Audits (exploits_at_zataz.net)
Date: 06/09/05

  • Next message: Anders Henke: "Re: `tattle` -- automatic reporting of SSH brute-force attacks"
    Date: Thu, 09 Jun 2005 10:17:38 +0200
    To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, moderators@osvdb.org, bugs@securitytracker.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk
    
    

    #########################################################

    xmysqladmin insecure temporary file creation

    Vendor: Gilbert Therrien gilbert@ican.net or mysql@tcx.se
    Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
    Vendor informed: yes
    Exploit available: yes
    Impact : low
    Exploitation : low

    #########################################################

    xmysqladmin contain a security flaw wich could allow a malicious
    local user to delete arbitrary files with the right off the user
    how use xmysqladmin or to get sensible informations
    (content off a database)

    During the drop off a database, xmysqladmin drop the database and create
    a tar.gz
    inside /tmp without checking if the file exist already.

    The exploitation require that the malicious local user no wich database
    gonna be deleted.

    ##########
    Versions:
    ##########

    xmysqladmin <= 1.0

    ##########
    Solution:
    ##########

    In Makefile :

    BACKUPDIR = .

    I think that upstream should check if the file already exist or not
    before creating it.

    To prevent symlink attack use kernel patch such as grsecurity

    #########
    Timeline:
    #########

    Discovered : 2005-05-24
    Vendor notified : 2005-05-29
    Vendor response : no reponse
    Vendor fix : no fix
    Disclosure : 2005-05-29

    #####################
    Technical details :
    #####################

    Vulnerable code :
    -----------------

    In Makefile :

    BACKUPDIR = /tmp

    In createDropDB.c : begin line 94

    void dropdb_drop(FL_OBJECT *obj, long data)
    {
       char *cmd;

       if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
    you want to continue?", 0))
             return;
       if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
    you sure?", 0))
             return;

       cmd = (char *) malloc(2048);
       if(!cmd) return;

       sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
    g_dropdb_dbfname,
               BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

       fl_show_command_log(FL_TRANSIENT);
       fl_exe_command(cmd, 1);
       free(cmd);

       {
         MYSQL connection;
         if(g_mysql_connect(&connection, Setup.host, Setup.user,
    Setup.password))
         {
           if(mysql_drop_db(&connection, g_dropdb_dbfname))
             {
               fl_show_alert(mysql_error(&connection),"","",0);
             }
           else
             {
               fl_show_message("The database",g_dropdb_dbfname,"has been
    destroyed");
             }

           mysql_close(&connection);
         }
         else
           {
               fl_show_alert("Cannot connect to server","","",0);
           }
       }

    #########
    Related :
    #########

    Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

    #####################
    Credits :
    #####################

    Eric Romang (eromang@zataz.net - ZATAZ Audit)
    Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)


  • Next message: Anders Henke: "Re: `tattle` -- automatic reporting of SSH brute-force attacks"

    Relevant Pages

    • [Full-disclosure] xmysqladmin insecure temporary file creation
      ... xmysqladmin contain a security flaw wich could allow a malicious ... During the drop off a database, xmysqladmin drop the database and create ... Vendor notified: 2005-05-29 ...
      (Full-Disclosure)
    • [VulnWatch] xmysqladmin insecure temporary file creation
      ... xmysqladmin contain a security flaw wich could allow a malicious ... During the drop off a database, xmysqladmin drop the database and create ... Vendor notified: 2005-05-29 ...
      (VulnWatch)
    • Re: Poly Couples
      ... If you want to claim that OO is the consolution prize for lame database ... there is a metamodel which describes the hierarchy. ... Metamodel is stored in SQL, however, the data is stored in non ... vendor, and the structure is different than the one you use originally. ...
      (comp.object)
    • Re: Poly Couples
      ... Essentially - different versions for different clients. ... insist that you use their existing database which is from a different ... vendor, and the structure is different than the one you use originally. ... characters would mark variable insertion place-holders in the SQL. ...
      (comp.object)
    • Re: Poly Couples
      ... business software" example mentioned in this thread. ... But the communication mechanism with the database remains the same. ... That doesn't mean that other languages (such as sql, ... vendor, and the structure is different than the one you use originally. ...
      (comp.object)