Thursday, October 20, 2005

[UNIX] Flexbackup Default Config Insecure Temporary File Creation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Flexbackup Default Config Insecure Temporary File Creation
------------------------------------------------------------------------

SUMMARY

" <http://flexbackup.sourceforge.net/> Flexible backup tool for small to
medium sized installations. Flexbackup is a flexible backup tool that
works well for small to medium sized tasks for which solutions like amanda
are overkill."

Lack of random temporary file name by flexbackup, allows local attackers
to execute arbitrary programs with the privileges of other users of the
flexbackup program.

DETAILS

Vulnerable Systems:
* flexbackup version 1.2.1 and prior

flexbackup is vulnerable to symlink attacks allowing local attackers to
create arbitrary files with the privileges of the user running the
affected script. This in turn could cause information disclosure, possible
local or even remote arbitrary commands execution.

Vulnerable Code:
* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf file
tmpdir is by default set to /tmp

5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);

A possible symlink attack (race condition) exists on this code that is
also possible to create a untrusted script into the tmp_script (race
condition).

The script how is created is also vulnerable to possible symlink attack
(race condition).

5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";

Untrusted script could be executed on localhost or remote host.

5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible symlink
attack (race condition). By default in the conf file pad_blocks is true.
No risk if no configuration modification.

359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }

A possible symlink attack (race condition)

619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, "[ ! -e $result ]");
850 }

ADDITIONAL INFORMATION

The information has been provided by <mailto:exploits@zataz.net> ZATAZ
Audits.
The original article can be found at:
<http://www.zataz.net/adviso/flexbackup-09192005.txt>
http://www.zataz.net/adviso/flexbackup-09192005.txt
Gentoo Bug Report can be found at:
<http://bugs.gentoo.org/show_bug.cgi?id=105000>
http://bugs.gentoo.org/show_bug.cgi?id=105000

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment