hylafax security hole in faxcron, xferstats and recvstats

• Previous message: Martin Cracauer: "Re: FreeBSD VM gremlin"
• Next in thread: der Mouse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Reply: der Mouse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Reply: Marc Heuse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

this is about the HylaFAX Facsimile Software copyrighted by
Sam Leffler and Silicon Graphics, Inc but available for free.

faxcron, xferstats and recvstats as they are installed with
hylafax-v4.0pl2 can be used to execute arbitary awk programs
as the invoking user. All three programs are usually run by
cron on behalf of the fax user (aka uucp).

faxcron, xferstats and recvstats which are all Bourne Shell scripts
create temporary files in /tmp which are later executed by awk. The
names of these temp files can easily be guessed. Any awk code that is
found in a correctly guessed file will be run verbatim (if the attacker
was clever enough to protect his file from being overwritten).

There are several other files created but not executed in /tmp with
such a weak naming sheme and without and checks for tampering.

Disableing those scripts completely should not break hylafax
serivces. You'll only miss those nice reports.

Greetings,
tobias

• Next message: Xavier Beaudouin: "[rootshell] Security Bulletin #24 (fwd)"
• Previous message: Martin Cracauer: "Re: FreeBSD VM gremlin"
• Next in thread: der Mouse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Reply: der Mouse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Reply: Marc Heuse: "Re: hylafax security hole in faxcron, xferstats and recvstats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:16 PDT