Debian Bug report logs - #329384
hylafax: Temporary file vulnerability in xferfaxstats and other security concerns

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: submit@bugs.debian.org

Subject: hylafax: Temporary file vulnerability in xferfaxstats and other security concerns

Date: Wed, 21 Sep 2005 16:00:48 +0200

[Message part 1 (text/plain, inline)]

Package: hylafax
Severity: critical
Version: 1:4.2.1-7
Tags: woody sarge security patch

This was a mail sent to the Debian security team, the hylafax Debian
maintainer and the hylafax upstream maintainer a while back, since
then, version  1:4.2.2+rc1 has been uploaded to testing (Sept 3rd 2005)
making this issue public:

   * Added patches from Javier Fernandez-Sanguino Peña to cron jobs in
     order to redirect stderr, and to other scripts in order to fix
     temporary directory usage. (See patch 702)

This is the mail sent describing the vulnerabilites (dated 6 Aug 2005).
Attached is the patch (700, not 702 as mentioned in the changelog) used by
the maintainer and based in may original patches.

Notice that the patch only fixes the tempdir vulnerabilities, the last issue
(the UNIX domain socket) has not yet been investigated.

-------------------------------------------------------------------------


Hi there hylafax maintainer and Debian security team,

While reviewing Debian packages for vulnerabilities due to the insecure
use of temporary files I've found that the hylafax package contains a 
script (xferfaxstats) which is vulnerable to symlink attacks since
it uses temporary files in an unsafe way:

------------------------------------------------------------------
(...)
tmpAwk=/tmp/xferfax$$
trap "rm -f $tmpAwk; exit 1" 0 1 2 15
(...)
)>$tmpAwk
$AWK -f $tmpAwk -v TODAY="$TODAY" -v AGE="$AGE" -v SINCEDT="$SINCEDT" -v ENDDT="
------------------------------------------------------------------

Furthermore, this script is run in a monthly basis by the predefined cron
tasks in the package as root so it makes this vulnerability an exploitable
issue in all systems that have this package installed.

I've reviewed all other hylafax scripts which make use of /tmp too:
/usr/sbin/recvstats, /usr/sbin/faxcron, /usr/sbin/faxaddmodem, 
/usr/sbin/faxsetup and /usr/sbin/probemodem and they use constructs which
prevent symlink attacks from overwritting files. It seems that the Debian
maintener fixed these bugs in 28 Sep 1998 (based on the changelog) but
the xferstats script seems to have been missed. 

This script is available in all hylafax-server versions: woody, sarge,
etch and sid.

I'm also concerned that the hylafax package creates /var/spool/hylafax/tmp
with mode 4777 supposedly, based on the manpages of those scripts, to be
used as a temporary location of files but, instead, all of the files use
/tmp instead directly.

In order to clean up the code a little bit attached is a separate
(untested) patch which reviews all the use of temporary files in scripts:

1.- It makes all of them use mktemp if available, this prevents DoS attacks
    agains the scripts since rogue users will find it more difficult
    to pre-create the temporary files. With the current code it is
    simple to prevent all scripts from executing just by populating
    the /tmp directory with symlinks.
2.- It makes all of them use TMPDIR if defined (through mktemp -t or
    through the use of $TMPDIR instead of /tmp if mktemp is not available)
3.- It generates proper error messages if temporary files cannot be
    created
4.- It changes cron jobs to forward error messages to the scripts to log
    files or to mail messages
5.- Do not define 'exit 1' when setting traps, since the exit status 
    of the script will be changed (a 0 exit status will be 1 instead).
    Code sample:
	------------------------------------------------
	#!/bin/sh

	trap "echo trap; exit 1" 0 1 2 3 15
	echo no trap

	exit 0
	----------------------------------------------
	$ ./test.sh
	no trap
	trap
	$ echo $?
	1

This patch could be used in the sid package since it is actually code
cleamup. If it was added, the cron jobs could redefine TMPDIR to be 
/var/spool/hylafax/tmp before calling the scripts so that the claim 
of the manpages would be correct. Based on the current code that directory
does not seem to be used at all.

Finally, another concern, is that the default config file defines
FAX_DEFUNIX as /tmp/hyla.unix to setup a transport mode based on UNIX
domain sockets. The FaxClient code uses whatever transport mechanism
is available (through Transport::getTransport) and the Transport code says:

[ ./util/Transport.c++ ]
     53         if (UnixTransport::isA(FAX_DEFUNIX)) {
     54             client.setHost(FAX_DEFUNIX);
     55             return *new UnixTransport(client);
     56         } else {
     57             client.setHost(FAX_DEFHOST);
     58             return *new InetTransport(client);
     59         }

UnixTransport::isA  is defined as:

[ util/UnixTransport.c++ ]
     35 UnixTransport::isA(const char* address)
     36 {
     37      return Sys::isSocketFile(address);
     38 }

I don't see that the Debian package creates the UNIX domain socket at all.
¿Does this code means that if a rogue local user where to create a UNIX
socket at /tmp/hyla.unix all Hylafax clients in the system would use that
instead of the other inettransport (localhost:4559)? ¿Does this means
that a local user could get access to all faxes sent and prevent faxes
from being sent to the proper Hylafax Server? Notice that this code
disputes the claim from the hylafax-client that it only communicates through
TCP/IP (the manpage does not mention it either) and can introduce
a different vulnerability in the system than the ones fixed by the
attached patches.

Regards

Javier Fernandez-Sanguino

[700_hylafax-tmpdir.dpatch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 329384@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@canonical.com>

To: 329384@bugs.debian.org

Subject: CAN numbers

Date: Fri, 7 Oct 2005 09:49:20 +0200

[Message part 1 (text/plain, inline)]

Hi!

The symlink attack on the xferfax$$ temporary file is CAN-2005-3069.
The "does not create or verify ownership of the UNIX domain socket"
vulnerability is CAN-2005-3070.

Please mention these numbers in the changelog when you fix this.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 329384-done@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 329384-done@bugs.debian.org

Subject: recording fixed version properly

Date: Mon, 17 Oct 2005 20:46:56 -0400

[Message part 1 (text/plain, inline)]

Version: 1:4.2.2+rc1

.. because people still can't figure out how to do this on their own :-P

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.