SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Flexbackup Vendors:   flexbackup.sourceforge.net
Flexbackup Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015068
SecurityTracker URL:  http://securitytracker.com/id/1015068
CVE Reference:   CVE-2005-4802   (Links to External Site)
Updated:  Nov 21 2006
Original Entry Date:  Oct 18 2005
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.2.1 and prior versions
Description:   Eric Romang from ZATAZ Audit reported a vulnerability in Flexbackup. A local user can gain elevated privileges on the target system.

The software creates several temporary files in an unsafe manner. Files are created in the '/tmp' directory by default.

A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by Flexbackup. Then, when the script is run by a target user (or process), the symlinked file may be created or overwritten with the privileges of the target user.

The vendor was notified on September 19, 2005.

The original advisory is available at:

http://www.zataz.net/adviso/flexbackup-09192005.txt

Impact:   A local user may be able to gain elevated privileges on the target system.
Solution:   No solution was available at the time of this entry.

As a workaround, the report indicates that you can can the default $tmpdir directory configuration.

Vendor URL:  flexbackup.sourceforge.net/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  flexbackup default config insecure temporary file creation

#########################################################

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations due to a default 
config.

They are symlink attacks to create arbitrary files with the privileges of the user 
running the affected script, sensitive informations disclosure, possible local or 
remote arbitrary commands execution.

##########
Versions:
##########

flexbackup <= 1.2.1

##########
Solution:
##########

Change default config $tmpdir

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report (vendor-sec@lst.de) : 2005-09-30
Disclosure : 2005-10-15

#####################
Technical details :
#####################

Vulnerable code :
-----------------

* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is 
by default set to /tmp

5229     my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236     # Create a script which tests the buffer program
5237     open(SCR,"> $tmp_script") || die;
5238     print SCR "#!/bin/sh\n";
5239     print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240     print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241     print SCR "echo testme > \$tmp_data\n";
5242     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243     print SCR "res=\$?\n";
5244     print SCR "out=\`cat \$tmp_err\`\n";
5245     print SCR "if [ \$res -eq 0 ]; then\n";
5246     print SCR "   echo successful\n";
5247     print SCR "else\n";
5248     print SCR "   echo \"unsuccessful: exit code \$res: \$out\" \n";
5249     print SCR "fi\n";
5250     print SCR "rm -f \$tmp_data \$tmp_err\n";
5251     close(SCR);

Here we have possible symlink attack (race condition), and also possibility to create 
a untrusted script into the tmp_script (race condition).

The script how is created is also vulnerable to possible symlink attack (race 
condition).

5253     if ($host eq 'localhost') {
5254         print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255         $pipecmd = "sh $tmp_script ";
5256     } else {
5257         print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258         $pipecmd =  "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script'        )";

We see here that the untrusted script could be executed on localhost or remote
host.

5446     my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447     my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448     my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible symlink attack 
(race condition). By default in the conf file pad_blocks is true. No risk if no 
configuration modification.

359     if (defined($::pkgdelta)) {
360         if (defined($::local)) {
361             &list_packages('localhost');
362             &find_packaged_files('localhost');
363             &find_changed_files('localhost');
364         }
365         foreach my $host (keys %::remotehosts) {
366             &list_packages($host);
367             &find_packaged_files($host);
368             &find_changed_files($host);
369         }
370         $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371         &line();
372     }

Here we have possible symlink attack (race condition)

619     my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620     my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841         unlink($result);
842         open(SCR, "> $exitscript") || die;
843         print SCR '#!/bin/sh' . "\n";
844         print SCR '"$@"' . "\n";;
845         print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846         close(SCR);
847         chmod(0755, $exitscript);
848
849         push(@cmds, "[ ! -e $result ]");
850     }

This one is more difficult to race.


#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC