Bug 118786 - VUL-0: bacula: insecure temp file handling
Summary: VUL-0: bacula: insecure temp file handling
Status: RESOLVED FIXED
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Other (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard: patchinfos submitted
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-26 12:55 UTC by Thomas Biege
Modified: 2005-10-12 14:16 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-09-26 12:55:25 UTC 
Hello Anna,
the mail below describes a bug in bacula. Can you fix it in stable anf for
SLES10 please?



From: "Eric Romang / ZATAZ.com" <eromang@zataz.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.10) Gecko/20050716
To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com,
        moderators@osvdb.org, bugs@securitytracker.com,
        submissions@packetstormsecurity.org, news@securiteam.com,
        xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
        full-disclosure@lists.grok.org.uk
Cc: Eric Romang <eromang@zataz.net>, koon@gentoo.org
Subject: bacula insecure temporary file creation
Envelope-To: tom@electric-sheep.org

#########################################################

bacula insecure temporary file creation

Vendor: http://www.bacula.org/
Advisory: http://www.zataz.net/adviso/bacula-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations.
They are symlink attacks to create arbitrary files with the privileges
of the
user running the affected script, sensitive informations disclosure,
possible
arbitrary commands execution.

##########
Versions:
##########

bacula <= 1.36.3

##########
Solution:
##########

Update to version 1.37.39 (sep 19 2005)

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : 2005-09-19
Vendor fix : 2005-09-20
Vendor Sec report (vendor-sec@lst.de) : no need
Disclosure : 2005-09-20

#####################
Technical details :
#####################

Vulnerable code :
-----------------

* Take a look on : autoconf/randpass

This file is used by configure and autoconf/configure.in to generate
random password.

11 tmp=/tmp/p.tmp.$$
12 cp autoconf/randpass.bc $tmp
13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp
14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp
17 echo "quit" >>$tmp
18 bc $tmp | awk -f autoconf/randpass.awk
19 rm $tmp

They are 2 troubles, symlink attack (race condition) and password revelation
to unstruted user (race condition). This vulnerability is exploitable on
system that dont have openssl command.


* Take a look at : rescue/linux/getdiskinfo

Create bootstrap information files -- prelude to creating a Bacula
Rescue Disk

192 cat >mount_drives <<END_OF_DATA
193 #!/bin/sh
194 #
195 #  Mount disk drives  -- created by getdiskinfo
196 #
197 END_OF_DATA
198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext2.bsi >>mount_drives
199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>mount_drives
200 echo "#" >>mount_drives
201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext2.bsi >/tmp/1$$
202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>/tmp/1$$
203 # sort so that root is mounted first
204 sort -k 3 </tmp/1$$ >>mount_drives
205 rm -f /tmp/1$$
206
207 chmod 755 mount_drives
208
209 # copy sfdisk so we will have it
210 cp -f /sbin/sfdisk .
211 echo "Done building scripts."
212 echo " "
213 echo "You might want to do a:"
214 echo " "
215 echo "chown -R uuuu:gggg *"
216 echo " "
217 echo "where uuuu is your userid and gggg is your group"
218 echo "so that you can access all the files as non-root"
219 echo " "

They are two troubles, symlink attack (race condition) and possible
arbitrary
commands execution with users privileges (race condition)

This file don't seem to be installed, we can consider this bug as invalid


* Take a look at : scripts/mtx-changer.in

Bacula interface to mtx autoloader

117    loaded)
118       ${MTX} -f $ctl status >/tmp/mtx.$$
119       rtn=$?
120       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk
"{print \$7}"
121       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk
"{print 0}"
122       rm -f /tmp/mtx.$$
123       exit $rtn
124       ;;

symlink attack (race condition) possible


* Also we got this variable in a lot off script :

working_directory  = "/tmp";

Upstream should check the usage off this variable.

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104986
Bug report http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422
CVE :

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
Comment 1 Anna Maresova 2005-09-26 13:09:51 UTC 
I will fix it. Vulnerable version is also in SUSE 10.
Comment 2 Anna Maresova 2005-10-04 19:12:09 UTC 
fixes submitted
Comment 3 Thomas Biege 2005-10-05 14:03:31 UTC 
Maintenance-Tracker-2518

/work/src/done/PATCHINFO/bacula.patch.box
Comment 4 Marcus Meissner 2005-10-12 14:16:39 UTC 
updates released, already mentioned in summary report.  
 
CAN-2005-2995