The vulnerabilities ared due to insecure temporary files creations due
to a default config.
They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.
We see here that the untrusted script could be executed on localhost or
remote
host.
5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";
Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerabilities ared due to insecure temporary files creations due
to a default config.
They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.
##########
Versions:
##########
flexbackup <= 1.2.1
##########
Solution:
##########
Change default config $tmpdir
#########
Timeline:
#########
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec (at) lst (dot) de [email concealed]) : 2005-09-30
Disclosure : 2005-10-15
#####################
Technical details :
#####################
Vulnerable code :
-----------------
* In /etc/flexbackup.conf :
$tmpdir = '/tmp';
* Into flexbackup :
&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');
If tmpdir is not defined /tmp is used by default, but here into conf
file tmpdir is by default set to /tmp
5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";
5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);
Here we have possible symlink attack (race condition), and also
possibility to create a untrusted script into the tmp_script (race
condition).
The script how is created is also vulnerable to possible symlink attack
(race condition).
5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";
We see here that the untrusted script could be executed on localhost or
remote
host.
5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";
Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.
359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }
Here we have possible symlink attack (race condition)
619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";
841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, "[ ! -e $result ]");
850 }
This one is more difficult to race.
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965
#####################
Credits :
#####################
Eric Romang (eromang (at) zataz (dot) net [email concealed] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
[ reply ]