[22397] in bugtraq
Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files
daemon@ATHENA.MIT.EDU (Darren Moffat)
Thu Aug 23 16:42:20 2001
Message-Id: <200108232008.f7NK8PH602485@jurassic.eng.sun.com>
Date: Thu, 23 Aug 2001 13:07:01 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Reply-To: Darren Moffat <Darren.Moffat@eng.sun.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: YSccS/f0Ew3fAhwXZCDmBw==
The AdobeFnt.lst file is actually comes from libCoolType.so.1 so there is
potential that other Adobe software that uses libCoolType.so.1 would
also be vulnerable to this bug.
I don't know if there is other stuff that uses libCoolType or not, but looking
at the symbol table it appears that it is a font library of sorts [I also
noticed that it was compiled with gcc ;-)].
It appears that the permissions are only set insecurely if the file
didn't already exist, so a very simple wrapper around AdobeFnt.lst that
created the file with good permissions first would probably suffice.
Using truss on Solaris I discovered that the creation of the AdobeFnt.lst
file in the users home directory is the only time that fchmod(fd, 0666) was
called so my previous LD_PRELOAD fix that circumvents Adobe's poor security
can be simplfied to just this (which I have compiled and tested):
#include <limits.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
int fchmod(int fildes, mode_t mode)
{
static int (*fptr)(int fildes, mode_t mode) = 0;
if (fptr == 0) {
fptr = (int (*)(int, mode_t))dlsym(RTLD_NEXT, "fchmod");
if (fptr == NULL) {
(void) printf("dlopen: %s\n", dlerror());
return NULL;
}
}
mode = 0600;
return ((fptr)(fildes, mode));
}
--
Darren J Moffat
