[Secure-testing-team] Bug#518518: backuppc: web frontend installed insecurely by default

Steven Price ecrips at gmail.com
Fri Mar 6 19:11:09 UTC 2009 

Package: backuppc
Version: 3.1.0-4
Severity: grave
Tags: security
Justification: user security hole

Hi,

The CGI script of the web frontend is installed setuid to the backuppc user.
This means that any local user of the system can run the CGI script as the
backuppc user. The CGI script simply reads the REMOTE_USER environment
variable to check permissions which can be faked by the invoking user. The
CGI also seems to treat the absense of the REMOTE_USER variable as allowing
full access!

As an example on a default install that backs up /etc (the 'localhost' host)
the following command will reveal the password hashes for the web interface
(stored in /etc/backuppc/htpasswd and which should be readable only by the
backuppc user):

/usr/share/backuppc/cgi-bin/index.cgi action=RestoreFile host=localhost num=0 share=/etc dir=/backuppc/htpasswd

Note that if backuppc is used to fully backup other machines as root (the
recommended configuration) then it is possible using this method to read files
such as the backed up /etc/shadow !!

Thanks,

Steve

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (601, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages backuppc depends on:
ii  adduser                  3.110           add and remove users and groups
ii  apache2                  2.2.9-10+lenny2 Apache HTTP Server metapackage
ii  apache2-mpm-worker [http 2.2.9-10+lenny2 Apache HTTP Server - high speed th
ii  bzip2                    1.0.5-1         high-quality block-sorting file co
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  dpkg                     1.14.25         Debian package management system
ii  libarchive-zip-perl      1.18-1          Module for manipulation of ZIP arc
ii  libcompress-zlib-perl    2.012-1         Perl module for creation and manip
ii  perl [libdigest-md5-perl 5.10.0-19       Larry Wall's Practical Extraction 
ii  perl-suid                5.10.0-19       Runs setuid Perl scripts
ii  samba-common             2:3.2.5-4       Samba common files used by both th
ii  smbclient                2:3.2.5-4       a LanManager-like simple client fo
ii  tar                      1.20-1          GNU version of the tar archiving u

Versions of packages backuppc recommends:
ii  exim4                        4.69-9      metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mail-tra 4.69-9      lightweight Exim MTA (v4) daemon
ii  libfile-rsyncp-perl          0.68-1.1+b1 A perl based implementation of an 
ii  openssh-client [ssh-client]  1:5.1p1-5   secure shell client, an rlogin/rsh
ii  rrdtool                      1.3.1-4     Time-series data storage and displ
ii  rsync                        3.0.3-2     fast remote file copy program (lik

Versions of packages backuppc suggests:
ii  iceweasel [www-browser]     3.0.6-1      lightweight web browser based on M
ii  links [www-browser]         2.1pre37-1.1 Web browser running in text mode
pn  par2                        <none>       (no description available)
ii  w3m [www-browser]           0.5.2-2+b1   WWW browsable pager with excellent

-- debconf information:
  backuppc/restart-webserver: true
* backuppc/configuration-note:
* backuppc/reconfigure-webserver: apache2

More information about the Secure-testing-team mailing list