Re: hylafax security hole in faxcron, xferstats and recvstats

[marc () SUSE DE (Marc Heuse)]

Hi,

> faxcron, xferstats and recvstats as they are installed with
> hylafax-v4.0pl2 can be used to execute arbitary awk programs
> as the invoking user. All three programs are usually run by
> cron on behalf of the fax user (aka uucp).
>
> faxcron, xferstats and recvstats which are all Bourne Shell scripts
> create temporary files in /tmp which are later executed by awk. The
> names of these temp files can easily be guessed. Any awk code that is
> found in a correctly guessed file will be run verbatim (if the attacker
> was clever enough to protect his file from being overwritten).

I found & fixed these bugs on monday, an update package should be
available today (wednesday) for the S.u.S.E. distribution on the usual
update sites (e.g. ftp.suse.com)
Fixes for the hylafax maintainer should be on their way

It would be nice to be informed earlier if you find security problems, so
a fix can be downloaded once the script kiddies know about the
vulnerabilities and try their attacks, that we have got a fix know is only
a coincidence, and it will take a day or two until other linux distribution
will fixed and build their package.


Greets,
        Marc
--
  Marc Heuse, S.u.S.E. GmbH, Fahrradstr. 56, D-90429 Nuernberg
  E@mail: marc () suse de   Function: Security Support & Auditing
  Use  "finger marc () suse de | pgp -fka"  for my public pgp key