[10697] in bugtraq
/tmp symlink problems in SuSE Linux 6.1
daemon@ATHENA.MIT.EDU (Thomas Fischbacher)
Wed Jun 2 12:19:57 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906021050300.2154-100000@staufen.cip.physik.uni-muenchen.de>
Date: Wed, 2 Jun 1999 11:01:32 +0200
Reply-To: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
From: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
To: BUGTRAQ@NETSPACE.ORG
I notified SuSE GmbH several weeks ago about this problem, but didn't get
any response, therefore this post to Bugtraq.
With SuSE Linux 6.1 there are still a few programs around which blindly
create files in /tmp regardless of whether a symlink or something
similarly evil already exists in that place. Among these programs are
'man'and 'dvips'.
Though it seems to be impossible by now to overwrite /etc/passwd with a
plain simple /tmp/zman01234aaa symlink (didn't check if the source is
race-condition free, though), one can still create arbitrary
files which do funny things. Example:
perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
--
regards, tf@cip.physik.uni-muenchen.de (o_
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))
