exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xmysqladmin-05292005.txt

xmysqladmin-05292005.txt
Posted Jun 21, 2005
Authored by Eric Romang | Site zataz.net

xmysqladmin versions 1.0 and below suffer from a symlink vulnerability.

tags | advisory
SHA-256 | 2fa75758826d6d03130e584c9f1f59190b2772d66994dcc3615620ff5cfca684

xmysqladmin-05292005.txt

Change Mirror Download
#########################################################

xmysqladmin insecure temporary file creation

Vendor: Gilbert Therrien gilbert@ican.net or mysql@tcx.se
Advisory: http://www.zataz.net/adviso/xmysqladmin-05292005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

xmysqladmin contain a security flaw wich could allow a malicious
local user to delete arbitrary files with the right off the user
how use xmysqladmin or to get sensible informations
(content off a database)

During the drop off a database, xmysqladmin drop the database and create
a tar.gz
inside /tmp without checking if the file exist already.

The exploitation require that the malicious local user no wich database
gonna be deleted.

##########
Versions:
##########

xmysqladmin <= 1.0

##########
Solution:
##########

In Makefile :

BACKUPDIR = .

I think that upstream should check if the file already exist or not
before creating it.

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-05-24
Vendor notified : 2005-05-29
Vendor response : no reponse
Vendor fix : no fix
Disclosure : 2005-05-29

#####################
Technical details :
#####################

Vulnerable code :
-----------------

In Makefile :

BACKUPDIR = /tmp

In createDropDB.c : begin line 94

void dropdb_drop(FL_OBJECT *obj, long data)
{
char *cmd;

if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo
you want to continue?", 0))
return;
if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre
you sure?", 0))
return;

cmd = (char *) malloc(2048);
if(!cmd) return;

sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR,
g_dropdb_dbfname,
BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

fl_show_command_log(FL_TRANSIENT);
fl_exe_command(cmd, 1);
free(cmd);

{
MYSQL connection;
if(g_mysql_connect(&connection, Setup.host, Setup.user,
Setup.password))
{
if(mysql_drop_db(&connection, g_dropdb_dbfname))
{
fl_show_alert(mysql_error(&connection),"","",0);
}
else
{
fl_show_message("The database",g_dropdb_dbfname,"has been
destroyed");
}

mysql_close(&connection);
}
else
{
fl_show_alert("Cannot connect to server","","",0);
}
}

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93792

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close