[hylafax-users] [Fwd: capi4hylafax insecure manipulation with tmp files]

[Lee Howard <faxguy@xxxxxxxxxxxxxxxx>]

-------- Original Message --------
Subject: 	capi4hylafax insecure manipulation with tmp files
Date: 	Tue, 07 Mar 2006 23:27:19 +0200
From: 	Javor Ninov <drfrancky@xxxxxxxxxxx>
Reply-To: 	drfrancky@xxxxxxxxxxx
Organization: 	Securax LTD
To: 	bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx



capi4hylafax suite (http://freshmeat.net/projects/capi4hylafax/ ) is
addon for hylafax fax server (http://www.hylafax.org/)

vulnerable:
capi4hylafax-01.03.00 /probably others/

in capi4hylafax-01.03.00/src/faxrecv/faxrecv.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
   dwarning (DebugSffDataFile == 0);
     if (!DebugSffDataFile) {
      DebugSffDataFile = fopen ("/tmp/c2faxrecv_dbgdatafile.sff", "w");
     }
#endif

in

and in capi4hylafax-01.03.00/src/faxsend/faxsend.cpp :

#ifdef GENERATE_DEBUGSFFDATAFILE
    dassert (DebugSffDataFile == 0);
    DebugSffDataFile = fopen ("/tmp/c2faxsend_dbgdatafile.sff", "w");
#endif

vulnerable capi4hylafax-1.1a

in capi4hylafax-1.1a/src/standard/ExtFuncs.h :
   #define DEBUG_FILE_NAME             "/tmp/c2faxfcalls.log"

then in capi4hylafax-1.1a/src/standard/DbgFile.c:
unsigned DebugFileOpen (void) {
   DebugFileClose();
   hFile = fopen (DEBUG_FILE_NAME, "w");
   return (hFile != 0);
}
<snip>
void DebugFilePrint (char *string) {
   if (hFile) {
       fprintf (hFile, string);
       fflush (hFile);
   }
   printf (string);
}

impact:
a regular user of the system can create a symbolic link to file on which
hylafax has write access leading to overwriting of this file

!!! VENDOR IS NOT NOTIFIED !!!

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

Attachment: signature.asc
Description: PGP signature