Bugzilla – Bug 156975
capi4hylafax: insecure tmp file handling
Last modified: 2009-10-13 23:01:30 UTC
Hello, this was sent to a public mailing-list. Delivery-Date: Wed, 08 Mar 2006 19:26:19 +0100 Date: Tue, 07 Mar 2006 23:27:19 +0200 From: Javor Ninov <drfrancky@securax.org> Reply-To: drfrancky@securax.org User-Agent: Thunderbird 1.5 (Windows/20051201) To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Subject: capi4hylafax insecure manipulation with tmp files OpenPGP: id=06A3F982 Envelope-To: tom@electric-sheep.org [-- PGP Ausgabe folgt (aktuelle Zeit: Fr 10 MÀr 2006 11:47:15 CET) --] gpg: Unterschrift vom Di 07 MÀr 2006 22:27:19 CET, DSA SchlÃŒssel ID 06A3F982 gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is addon for hylafax fax server (http://www.hylafax.org/) vulnerable: capi4hylafax-01.03.00 /probably others/ in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp : #ifdef GENERATE_DEBUGSFFDATAFILE dwarning (DebugSffDataFile == 0); if (!DebugSffDataFile) { DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w"); } #endif in and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp : #ifdef GENERATE_DEBUGSFFDATAFILE dassert (DebugSffDataFile == 0); DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w"); #endif vulnerable capi4hylafax-1.1a in capi4hylafax-1.1a/src/standard/ExtFuncs.h : #define DEBUG_FILE_NAME "/tmp/c2faxfcalls.log" then in capi4hylafax-1.1a/src/standard/DbgFile.c: unsigned DebugFileOpen (void) { DebugFileClose(); hFile = fopen (DEBUG_FILE_NAME, "w"); return (hFile != 0); } <snip> void DebugFilePrint (char *string) { if (hFile) { fprintf (hFile, string); fflush (hFile); } printf (string); } impact: a regular user of the system can create a symbolic link to file on which hylafax has write access leading to overwriting of this file !!! VENDOR IS NOT NOTIFIED !!! Javor Ninov aka DrFrancky drfrancky shift+2 securax.org
This debug code was never active in our versions, it is for debugging internal details for developers and must be enabled at compile time. So this case is invalid for us I think. But here is a other real case with the default LOGFILE /tmp/capifax.log, which is configurable via /etc/config.faxCAPI and created if LogTraceLevel is set to a value != 0. Since the the default is 0 we are safe in a default installation, but since the admin may be change this to debug some problem we should change the default location to a none world writable directory (like /var/log/capifax.log). I set AVM to CC, so they can inform the author about the issue. Maybe we should also change the default locations for the DEBUG files of the original report to /var/log/ for the case, somebody compile his own version with DEBUG enabled.
Thank you. Fixing it in STABLE is sufficient.
I did change all /tmp/ log and debug file paths into /var/log/ for STABLE.
So, we are done...
CVE-2006-1231
Created attachment 73220 [details] fix For completeness here the patch for our version.
CVE-2006-1231: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)