xmysqladmin insecure temporary file creation

2005-06-10T00:00:00
ID SECURITYVULNS:DOC:8827
Type securityvulns
Reporter Securityvulns
Modified 2005-06-10T00:00:00

Description

xmysqladmin insecure temporary file creation

Vendor: Gilbert Therrien gilbert@ican.net or mysql@tcx.se Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low

xmysqladmin contain a security flaw wich could allow a malicious local user to delete arbitrary files with the right off the user how use xmysqladmin or to get sensible informations (content off a database)

During the drop off a database, xmysqladmin drop the database and create a tar.gz inside /tmp without checking if the file exist already.

The exploitation require that the malicious local user no wich database gonna be deleted.

Versions:

xmysqladmin <= 1.0

Solution:

In Makefile :

BACKUPDIR = .

I think that upstream should check if the file already exist or not before creating it.

To prevent symlink attack use kernel patch such as grsecurity

Timeline:

Discovered : 2005-05-24 Vendor notified : 2005-05-29 Vendor response : no reponse Vendor fix : no fix Disclosure : 2005-05-29

Technical details :

Vulnerable code :

In Makefile :

BACKUPDIR = /tmp

In createDropDB.c : begin line 94

void dropdb_drop(FL_OBJECT obj, long data) { char cmd;

if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo you want to continue?", 0)) return; if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre you sure?", 0)) return;

cmd = (char *) malloc(2048); if(!cmd) return;

sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR, g_dropdb_dbfname, BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

fl_show_command_log(FL_TRANSIENT); fl_exe_command(cmd, 1); free(cmd);

{ MYSQL connection; if(g_mysql_connect(&connection, Setup.host, Setup.user, Setup.password)) { if(mysql_drop_db(&connection, g_dropdb_dbfname)) { fl_show_alert(mysql_error(&connection),"","",0); } else { fl_show_message("The database",g_dropdb_dbfname,"has been destroyed"); }

   mysql_close&#40;&connection&#41;;
 }
 else
   {
       fl_show_alert&#40;&quot;Cannot connect to server&quot;,&quot;&quot;,&quot;&quot;,0&#41;;
   }

}

Related :

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

Credits :

Eric Romang (eromang@zataz.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)