#########################################################
bacula insecure temporary file creation
Vendor: http://www.bacula.org/
Advisory: http://www.zataz.net/adviso/bacula-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerabilities ared due to insecure temporary files creations.
They are symlink attacks to create arbitrary files with the privileges
of the
user running the affected script, sensitive informations disclosure,
possible
arbitrary commands execution.
##########
Versions:
##########
bacula <= 1.36.3
##########
Solution:
##########
Update to version 1.37.39 (sep 19 2005)
#########
Timeline:
#########
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : 2005-09-19
Vendor fix : 2005-09-20
Vendor Sec report (vendor-sec@lst.de) : no need
Disclosure : 2005-09-20
#####################
Technical details :
#####################
Vulnerable code :
-----------------
* Take a look on : autoconf/randpass
This file is used by configure and autoconf/configure.in to generate
random password.
11 tmp=/tmp/p.tmp.$$
12 cp autoconf/randpass.bc $tmp
13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp
14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp
17 echo "quit" >>$tmp
18 bc $tmp | awk -f autoconf/randpass.awk
19 rm $tmp
They are 2 troubles, symlink attack (race condition) and password revelation
to unstruted user (race condition). This vulnerability is exploitable on
system that dont have openssl command.
* Take a look at : rescue/linux/getdiskinfo
Create bootstrap information files -- prelude to creating a Bacula
Rescue Disk
192 cat >mount_drives <<END_OF_DATA
193 #!/bin/sh
194 #
195 # Mount disk drives -- created by getdiskinfo
196 #
197 END_OF_DATA
198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext2.bsi >>mount_drives
199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>mount_drives
200 echo "#" >>mount_drives
201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext2.bsi >/tmp/1$$
202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>/tmp/1$$
203 # sort so that root is mounted first
204 sort -k 3 </tmp/1$$ >>mount_drives
205 rm -f /tmp/1$$
206
207 chmod 755 mount_drives
208
209 # copy sfdisk so we will have it
210 cp -f /sbin/sfdisk .
211 echo "Done building scripts."
212 echo " "
213 echo "You might want to do a:"
214 echo " "
215 echo "chown -R uuuu:gggg *"
216 echo " "
217 echo "where uuuu is your userid and gggg is your group"
218 echo "so that you can access all the files as non-root"
219 echo " "
They are two troubles, symlink attack (race condition) and possible
arbitrary
commands execution with users privileges (race condition)
This file don't seem to be installed, we can consider this bug as invalid
* Take a look at : scripts/mtx-changer.in
Bacula interface to mtx autoloader
117 loaded)
118 ${MTX} -f $ctl status >/tmp/mtx.$$
119 rtn=$?
120 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk
"{print \$7}"
121 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk
"{print 0}"
122 rm -f /tmp/mtx.$$
123 exit $rtn
124 ;;
symlink attack (race condition) possible
* Also we got this variable in a lot off script :
working_directory = "/tmp";
Upstream should check the usage off this variable.
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104986
Bug report http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422
CVE :
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
