bacula insecure temporary file creation

["Eric Romang / ZATAZ.com" <eromang () zataz com>]

#########################################################

bacula insecure temporary file creation

Vendor: http://www.bacula.org/
Advisory: http://www.zataz.net/adviso/bacula-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations.
They are symlink attacks to create arbitrary files with the privileges 
of the
user running the affected script, sensitive informations disclosure, 
possible
arbitrary commands execution.

##########
Versions:
##########

bacula <= 1.36.3

##########
Solution:
##########

Update to version 1.37.39 (sep 19 2005)

#########
Timeline:
#########

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : 2005-09-19
Vendor fix : 2005-09-20
Vendor Sec report (vendor-sec () lst de) : no need
Disclosure : 2005-09-20

#####################
Technical details :
#####################

Vulnerable code :
-----------------

* Take a look on : autoconf/randpass

This file is used by configure and autoconf/configure.in to generate 
random password.

11 tmp=/tmp/p.tmp.$$
12 cp autoconf/randpass.bc $tmp
13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp
14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp
17 echo "quit" >>$tmp
18 bc $tmp | awk -f autoconf/randpass.awk
19 rm $tmp

They are 2 troubles, symlink attack (race condition) and password revelation
to unstruted user (race condition). This vulnerability is exploitable on
system that dont have openssl command.


* Take a look at : rescue/linux/getdiskinfo

Create bootstrap information files -- prelude to creating a Bacula 
Rescue Disk

192 cat >mount_drives <<END_OF_DATA
193 #!/bin/sh
194 #
195 #  Mount disk drives  -- created by getdiskinfo
196 #
197 END_OF_DATA
198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext2.bsi >>mount_drives
199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>mount_drives
200 echo "#" >>mount_drives
201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext2.bsi >/tmp/1$$
202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>/tmp/1$$
203 # sort so that root is mounted first
204 sort -k 3 </tmp/1$$ >>mount_drives
205 rm -f /tmp/1$$
206
207 chmod 755 mount_drives
208
209 # copy sfdisk so we will have it
210 cp -f /sbin/sfdisk .
211 echo "Done building scripts."
212 echo " "
213 echo "You might want to do a:"
214 echo " "
215 echo "chown -R uuuu:gggg *"
216 echo " "
217 echo "where uuuu is your userid and gggg is your group"
218 echo "so that you can access all the files as non-root"
219 echo " "

They are two troubles, symlink attack (race condition) and possible 
arbitrary
commands execution with users privileges (race condition)

This file don't seem to be installed, we can consider this bug as invalid


* Take a look at : scripts/mtx-changer.in

Bacula interface to mtx autoloader

117    loaded)
118       ${MTX} -f $ctl status >/tmp/mtx.$$
119       rtn=$?
120       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk
"{print \$7}"
121       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk
"{print 0}"
122       rm -f /tmp/mtx.$$
123       exit $rtn
124       ;;

symlink attack (race condition) possible


* Also we got this variable in a lot off script :

working_directory  = "/tmp";

Upstream should check the usage off this variable.

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104986
Bug report http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422
CVE :

#####################
Credits :
#####################

Eric Romang (eromang () zataz net - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.