BugTraq
capi4hylafax insecure manipulation with tmp files Mar 07 2006 09:27PM
Javor Ninov (drfrancky securax org)
capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)

vulnerable:
capi4hylafax-01.03.00 /probably others/

in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
dwarning (DebugSffDataFile == 0);
if (!DebugSffDataFile) {
DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
}
#endif

in

and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
dassert (DebugSffDataFile == 0);
DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

vulnerable capi4hylafax-1.1a

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
#define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log"

then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
DebugFileClose();
hFile = fopen (DEBUG_FILE_NAME, "w");
return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
if (hFile) {
fprintf (hFile, string);
fflush (hFile);
}
printf (string);
}

impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file

!!! VENDOR IS NOT NOTIFIED !!!

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFEDfq3ck4kcwaj+YIRAgkaAJ9DrwmQOjWfehs72hrVHgmzVewsXwCfe7Yq
HsdNNRz59qLRqQCwu/UP1G8=
=xsnA
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus