Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9962
HistoryOct 19, 2005 - 12:00 a.m.

flexbackup default config insecure temporary file creation

2005-10-1900:00:00
vulners.com
11
JSON

#########################################################

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations due
to a default config.

They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.

##########
Versions:
##########

flexbackup <= 1.2.1

##########
Solution:
##########

Change default config $tmpdir

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report ([email protected]) : 2005-09-30
Disclosure : 2005-10-15

#####################
Technical details :
#####################

Vulnerable code :

  • In /etc/flexbackup.conf :

$tmpdir = '/tmp';

  • Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf
file tmpdir is by default set to /tmp

5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);

Here we have possible symlink attack (race condition), and also
possibility to create a untrusted script into the tmp_script (race
condition).

The script how is created is also vulnerable to possible symlink attack
(race condition).

5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine… ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host… ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";

We see here that the untrusted script could be executed on localhost or
remote
host.

5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.

359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }

Here we have possible symlink attack (race condition)

619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, "[ ! -e $result ]");
850 }

This one is more difficult to race.

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965

#####################
Credits :
#####################

Eric Romang ([email protected] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.

Related

debian 2
ubuntu 1
securityvulns 1
openvas 2
cve 2
cvelist 1
debiancve 1
ubuntucve 1
debian
debian
[SECURITY] [DSA 857-1] New graphviz packages fix insecure temporary file
2005-10-10 00:00:00
[SECURITY] [DSA 857-1] New graphviz packages fix insecure temporary file
2005-10-10 06:43:55
ubuntu
ubuntu
graphviz vulnerability
2005-10-17 00:00:00
securityvulns
securityvulns
[Full-disclosure] [SECURITY] [DSA 857-1] New graphviz packages fix insecure temporary file
2005-10-10 00:00:00
openvas
openvas
Debian Security Advisory DSA 857-1 (graphviz)
2008-01-17 00:00:00
Ubuntu: Security Advisory (USN-208-1)
2022-08-26 00:00:00
cve
cve
CVE-2005-4803
2005-12-31 05:00:00
CVE-2005-2965
2005-10-12 13:04:00
cvelist
cvelist
CVE-2005-4803
2006-05-17 17:00:00
debiancve
debiancve
CVE-2005-4803
2005-12-31 05:00:00
ubuntucve
ubuntucve
CVE-2005-4803
2005-12-31 00:00:00
JSON
Related for SECURITYVULNS:DOC:9962
debian2ubuntu1securityvulns1openvas2cve2cvelist1debiancve1ubuntucve1