Flexbackup Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1015068
|
|
SecurityTracker URL: http://securitytracker.com/id?1015068
|
|
CVE Reference: CVE-2005-4802
(Links to External Site)
|
Updated: Nov 21 2006
|
Original Entry Date: Oct 18 2005
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Version(s): 1.2.1 and prior versions
|
Description: Eric Romang from ZATAZ Audit reported a vulnerability in Flexbackup. A local user can gain elevated privileges on the target system.
The software creates several temporary files in an unsafe manner. Files are created in the '/tmp' directory by default.
A local
user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by Flexbackup. Then,
when the script is run by a target user (or process), the symlinked file may be created or overwritten with the privileges of the
target user.
The vendor was notified on September 19, 2005.
The original advisory is available at:
http://www.zataz.net/adviso/flexbackup-09192005.txt
|
Impact: A local user may be able to gain elevated privileges on the target system.
|
Solution: No solution was available at the time of this entry.
As a workaround, the report indicates that you can can the default $tmpdir directory configuration.
|
Vendor URL: flexbackup.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: ZATAZ Audits <exploits@zataz.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 17 Oct 2005 10:06:06 +0200
From: ZATAZ Audits <exploits@zataz.net>
Subject: flexbackup default config insecure temporary file creation
|
#########################################################
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerabilities ared due to insecure temporary files creations due to a default
config.
They are symlink attacks to create arbitrary files with the privileges of the user
running the affected script, sensitive informations disclosure, possible local or
remote arbitrary commands execution.
##########
Versions:
##########
flexbackup <= 1.2.1
##########
Solution:
##########
Change default config $tmpdir
#########
Timeline:
#########
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@lst.de) : 2005-09-30
Disclosure : 2005-10-15
#####################
Technical details :
#####################
Vulnerable code :
-----------------
* In /etc/flexbackup.conf :
$tmpdir = '/tmp';
* Into flexbackup :
&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');
If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is
by default set to /tmp
5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";
5236 # Create a script which tests the buffer program
5237 open(SCR,"> $tmp_script") || die;
5238 print SCR "#!/bin/sh\n";
5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241 print SCR "echo testme > \$tmp_data\n";
5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243 print SCR "res=\$?\n";
5244 print SCR "out=\`cat \$tmp_err\`\n";
5245 print SCR "if [ \$res -eq 0 ]; then\n";
5246 print SCR " echo successful\n";
5247 print SCR "else\n";
5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249 print SCR "fi\n";
5250 print SCR "rm -f \$tmp_data \$tmp_err\n";
5251 close(SCR);
Here we have possible symlink attack (race condition), and also possibility to create
a untrusted script into the tmp_script (race condition).
The script how is created is also vulnerable to possible symlink attack (race
condition).
5253 if ($host eq 'localhost') {
5254 print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255 $pipecmd = "sh $tmp_script ";
5256 } else {
5257 print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script' )";
We see here that the untrusted script could be executed on localhost or remote
host.
5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";
Here the $cfg::pad_blocks should be false to exploit the possible symlink attack
(race condition). By default in the conf file pad_blocks is true. No risk if no
configuration modification.
359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 &list_packages('localhost');
362 &find_packaged_files('localhost');
363 &find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 &list_packages($host);
367 &find_packaged_files($host);
368 &find_changed_files($host);
369 }
370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371 &line();
372 }
Here we have possible symlink attack (race condition)
619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";
841 unlink($result);
842 open(SCR, "> $exitscript") || die;
843 print SCR '#!/bin/sh' . "\n";
844 print SCR '"$@"' . "\n";;
845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, "[ ! -e $result ]");
850 }
This one is more difficult to race.
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
|
|
