Bug 156975

Summary: capi4hylafax: insecure tmp file handling
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Karsten Keil <karsten.keil>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: S.Schmidt, security-team
Version: Beta 7   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2006-1231: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: fix

Description Thomas Biege 2006-03-10 10:48:52 UTC 
Hello,
this was sent to a public mailing-list.

Delivery-Date: Wed, 08 Mar 2006 19:26:19 +0100
Date: Tue, 07 Mar 2006 23:27:19 +0200
From: Javor Ninov <drfrancky@securax.org>
Reply-To: drfrancky@securax.org
User-Agent: Thunderbird 1.5 (Windows/20051201)
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: capi4hylafax insecure manipulation with tmp files
OpenPGP: id=06A3F982
Envelope-To: tom@electric-sheep.org

[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 10 MÀr 2006 11:47:15 CET) --]
gpg: Unterschrift vom Di 07 MÀr 2006 22:27:19 CET, DSA SchlÌssel ID 06A3F982
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)

vulnerable:
capi4hylafax-01.03.00 /probably others/

in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
    dwarning (DebugSffDataFile == 0);
      if (!DebugSffDataFile) {
       DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
      }
#endif

in

and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :
#ifdef GENERATE_DEBUGSFFDATAFILE
     dassert (DebugSffDataFile == 0);
     DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

vulnerable capi4hylafax-1.1a

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
    #define DEBUG_FILE_NAME             "/tmp/c2faxfcalls.log"

then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
    DebugFileClose();
    hFile = fopen (DEBUG_FILE_NAME, "w");
    return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
    if (hFile) {
        fprintf (hFile, string);
        fflush (hFile);
    }
    printf (string);
}

impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file

!!! VENDOR IS NOT NOTIFIED !!!

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
Comment 1 Karsten Keil 2006-03-12 17:51:37 UTC 
This debug code was never active in our versions, it is for debugging internal details for developers and must be enabled at compile time. So this case is invalid for us I think.

But here is a other real case with the default LOGFILE /tmp/capifax.log, which
is configurable via /etc/config.faxCAPI and created if LogTraceLevel is set to a value != 0. Since the the default is 0 we are safe in a default installation, but since the admin may be change this to debug some problem we should change the default location to a none world writable directory (like /var/log/capifax.log).

I set AVM to CC, so they can inform the author about the issue.

Maybe we should also change the default locations for the DEBUG files of the original report to /var/log/ for the case, somebody compile his own version with DEBUG enabled.
Comment 3 Thomas Biege 2006-03-13 08:25:50 UTC 
Thank you. Fixing it in STABLE is sufficient.
Comment 4 Karsten Keil 2006-03-14 08:32:04 UTC 
I did change all /tmp/ log and debug file paths into /var/log/ for STABLE.
Comment 5 Thomas Biege 2006-03-14 09:18:08 UTC 
So, we are done...
Comment 6 Marcus Meissner 2006-03-16 07:36:13 UTC 
CVE-2006-1231
Comment 7 Karsten Keil 2006-03-16 07:44:56 UTC 
Created attachment 73220 [details]
fix

For completeness here the patch for our version.
Comment 8 Thomas Biege 2009-10-13 23:01:30 UTC 
CVE-2006-1231: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)