Date: Tue, 22 Sep 1998 13:00:44 +0200 From: Tobias Richter <tsr@CAVE.ISDN.CS.TU-BERLIN.DE> Subject: hylafax security hole in faxcron, xferstats and recvstats To: BUGTRAQ@NETSPACE.ORG Hi, this is about the HylaFAX Facsimile Software copyrighted by Sam Leffler and Silicon Graphics, Inc but available for free. faxcron, xferstats and recvstats as they are installed with hylafax-v4.0pl2 can be used to execute arbitary awk programs as the invoking user. All three programs are usually run by cron on behalf of the fax user (aka uucp). faxcron, xferstats and recvstats which are all Bourne Shell scripts create temporary files in /tmp which are later executed by awk. The names of these temp files can easily be guessed. Any awk code that is found in a correctly guessed file will be run verbatim (if the attacker was clever enough to protect his file from being overwritten). There are several other files created but not executed in /tmp with such a weak naming sheme and without and checks for tampering. Disableing those scripts completely should not break hylafax serivces. You'll only miss those nice reports. Greetings, tobias