[20318] in bugtraq
Insecure directory handling in KFM file manager
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Thu Apr 19 15:06:20 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-ID: <3ADDEDC1.DD792B71@starzetz.de>
Date: Wed, 18 Apr 2001 21:40:49 +0200
Reply-To: Paul Starzetz <paul@STARZETZ.DE>
From: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Hi,
there is a symlink/owner problem in the KDE file manager kfm. I found it
on my SuSE 7.0 but I'm not sure if it is an original SuSE package or
not, rpm doesn't know about it:
paul@ps:/tmp > rpm -qfi /usr/opt/kde/bin/kfm
die Datei »/usr/opt/kde/bin/kfm« gehört zu keinem Paket
what means that the kfm binary is not known to rpm. However, I suspect
that it is included in all KDE1 distributions.
kfm will create a cache directory in /tmp without checking for correct
onwership named kfm-cache-UID where UID is the numerical user id. Then
it will write to files in the cache dir, for example:
root@ps:/tmp/kfm-cache-500 > ls -la
drwxrwxrwx 2 rws uboot 4096 Apr 18 21:18 .
drwxrwxrwt 15 root root 770048 Apr 18 21:16 ..
lrwxrwxrwx 1 rws uboot 18 Apr 18 21:18 index.html ->
/home/paul/.bashrc
-rw-r--r-- 1 rws uboot 0 Apr 18 21:16 index.txt
root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
-rw-r--r-- 1 paul users 1458 Jan 23 13:56
/home/paul/.bashrc
and after running kfm as user 500:
root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
-rw-r--r-- 1 paul users 271 Apr 18 21:19
/home/paul/.bashrc
The impact is obvious :-/
Ihq.
