SecuriTeam - Flexbackup Default Config Insecure Temporary File Creation

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

"Flexible backup tool for small to medium sized installations. Flexbackup is a flexible backup tool that works well for small to medium sized tasks for which solutions like amanda are overkill."

Lack of random temporary file name by flexbackup, allows local attackers to execute arbitrary programs with the privileges of other users of the flexbackup program.

Credit:
The information has been provided by ZATAZ Audits.
The original article can be found at: http://www.zataz.net/adviso/flexbackup-09192005.txt
Gentoo Bug Report can be found at: http://bugs.gentoo.org/show_bug.cgi?id=105000

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* flexbackup version 1.2.1 and prior

flexbackup is vulnerable to symlink attacks allowing local attackers to create arbitrary files with the privileges of the user running the affected script. This in turn could cause information disclosure, possible local or even remote arbitrary commands execution.

Vulnerable Code:
* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is by default set to /tmp

5229     my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236     # Create a script which tests the buffer program
5237     open(SCR,"> $tmp_script") || die;
5238     print SCR "#!/bin/sh\n";
5239     print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240     print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241     print SCR "echo testme > \$tmp_data\n";
5242     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243     print SCR "res=\$?\n";
5244     print SCR "out=\`cat \$tmp_err\`\n";
5245     print SCR "if [ \$res -eq 0 ]; then\n";
5246     print SCR " echo successful\n";
5247     print SCR "else\n";
5248     print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n";
5249     print SCR "fi\n";
5250     print SCR "rm -f \$tmp_data \$tmp_err\n";
5251     close(SCR);

A possible symlink attack (race condition) exists on this code that is also possible to create a untrusted script into the tmp_script (race condition).

The script how is created is also vulnerable to possible symlink attack (race condition).

5253     if ($host eq 'localhost') {
5254         print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255         $pipecmd = "sh $tmp_script ";
5256     } else {
5257         print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258         $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat > $tmp_script; sh $tmp_script; rm -f $tmp_script' )";

Untrusted script could be executed on localhost or remote host.

5446     my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447     my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448     my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible symlink attack (race condition). By default in the conf file pad_blocks is true. No risk if no configuration modification.

359     if (defined($::pkgdelta)) {
360         if (defined($::local)) {
361             &list_packages('localhost');
362             &find_packaged_files('localhost');
363             &find_changed_files('localhost');
364         }
365         foreach my $host (keys %::remotehosts) {
366             &list_packages($host);
367             &find_packaged_files($host);
368             &find_changed_files($host);
369         }
370         $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371         &line();
372     }

A possible symlink attack (race condition)

619     my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620     my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841         unlink($result);
842         open(SCR, "> $exitscript") || die;
843         print SCR '#!/bin/sh' . "\n";
844         print SCR '"$@"' . "\n";;
845         print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846         close(SCR);
847         chmod(0755, $exitscript);
848
849         push(@cmds, "[ ! -e $result ]");
850     }

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities