Bugtraqmailing list archives
bacula insecure temporary file creation
From: "Eric Romang / ZATAZ.com" <eromang () zataz com>
Date: Tue, 20 Sep 2005 12:59:11 +0200
#########################################################bacula insecure temporary file creationVendor:http://www.bacula.org/Advisory:http://www.zataz.net/adviso/bacula-09192005.txtVendor informed: yesExploit available: yesImpact : lowExploitation : low#########################################################The vulnerabilities ared due to insecure temporary files creations.They are symlink attacks to create arbitrary files with the privilegesof theuser running the affected script, sensitive informations disclosure,possible
arbitrary commands execution.##########Versions:##########bacula <= 1.36.3##########Solution:##########Update to version 1.37.39 (sep 19 2005)#########Timeline:#########Discovered : 2005-09-06Vendor notified : 2005-09-19Vendor response : 2005-09-19Vendor fix : 2005-09-20Vendor Sec report (vendor-sec () lst de) : no needDisclosure : 2005-09-20#####################Technical details :#####################Vulnerable code :-----------------* Take a look on : autoconf/randpassThis file is used by configure and autoconf/configure.in to generaterandom password.
11 tmp=/tmp/p.tmp.$$12 cp autoconf/randpass.bc $tmp13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp17 echo "quit" >>$tmp18 bc $tmp | awk -f autoconf/randpass.awk19 rm $tmpThey are 2 troubles, symlink attack (race condition) and password revelationto unstruted user (race condition). This vulnerability is exploitable onsystem that dont have openssl command.* Take a look at : rescue/linux/getdiskinfoCreate bootstrap information files -- prelude to creating a BaculaRescue Disk
192 cat >mount_drives <<END_OF_DATA193 #!/bin/sh194 #195 # Mount disk drives -- created by getdiskinfo196 #197 END_OF_DATA198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'$di/mount.ext2.bsi >>mount_drives199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'$di/mount.ext3.bsi >>mount_drives200 echo "#" >>mount_drives201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'$di/mount.ext2.bsi >/tmp/1$$202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'$di/mount.ext3.bsi >>/tmp/1$$203 # sort so that root is mounted first204 sort -k 3 </tmp/1$$ >>mount_drives205 rm -f /tmp/1$$206207 chmod 755 mount_drives208209 # copy sfdisk so we will have it210 cp -f /sbin/sfdisk .211 echo "Done building scripts."212 echo " "213 echo "You might want to do a:"214 echo " "215 echo "chown -R uuuu:gggg *"216 echo " "217 echo "where uuuu is your userid and gggg is your group"218 echo "so that you can access all the files as non-root"219 echo " "They are two troubles, symlink attack (race condition) and possiblearbitrary
commands execution with users privileges (race condition)This file don't seem to be installed, we can consider this bug as invalid* Take a look at : scripts/mtx-changer.inBacula interface to mtx autoloader117 loaded)118 ${MTX} -f $ctl status >/tmp/mtx.$$119 rtn=$?120 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk"{print \$7}"121 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk"{print 0}"122 rm -f /tmp/mtx.$$123 exit $rtn124 ;;symlink attack (race condition) possible* Also we got this variable in a lot off script :working_directory = "/tmp";Upstream should check the usage off this variable.#########Related :#########Bug report :http://bugs.gentoo.org/show_bug.cgi?id=104986Bug reporthttp://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422CVE :#####################Credits :#####################Eric Romang (eromang () zataz net - ZATAZ Audit) - Gentoo Security ScoutThxs to Gentoo Security Team.Current thread:
- bacula insecure temporary file creationEric Romang / ZATAZ.com (Sep 20)