Product: bacula
Version: 1.34.4 (maybe earlier) to 1.36.3, beta 1.37.25
URL: http://www.bacula.org
Vulnerability: possible symlink attack
Date: June 20, 2005
Discovered by: nixon <nixon@excluded.org>

* Product

Bacula is a network based backup program and contains a default script for
autochanging tapes.

* Possible symlink attack in autochanger script mtx-changer

When running mtx-changer with argument `loaded' a file named /tmp/mtx.PID is
created and deleted afterwards:

  loaded)
      ${MTX} -f $ctl status >/tmp/mtx.$$
      rtn=$?
      cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
      cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
      rm -f /tmp/mtx.$$
      exit $rtn
      ;;

By guessing the pid, an attacker could create a symbolik link to any other file,
which will be deleted, when executing the script with the `loaded' argument.
(mtx-changer has to be executed with root privileges)

* Solution

  loaded)
    tmpfile=$HOME/.mtx.$$
    ${MTX} -f $ctl status > $tmpfile
    ...
    rm -f $tmpfile
    ...


- nixon
- http://www.excluded.org