[23925] in bugtraq
Re: Maelstrom 1.4.3 abartity file overwrite
daemon@ATHENA.MIT.EDU (Chris Gragsone)
Tue Jan 22 00:14:53 2002
Message-ID: <3C4C4143.4050002@realwarp.net>
Date: Mon, 21 Jan 2002 11:26:43 -0500
From: Chris Gragsone <maetrics@realwarp.net>
MIME-Version: 1.0
To: Andrew Griffiths <andrewg@tasmail.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
You should also note that Maelstrom doesnt check the return on fopen(),
nor does it remove the file when it closes. If you have multiple users
who run Maelstrom, or just someone who wants to break stuff. If the
/tmp/f is owned by another user, or the permissions are set to
nonwritable. Maelstrom will segfault when it passes 0 as the file
stream to fprintf().
--chris
Andrew Griffiths wrote:
> Program: Maelstrom
> Version: 1.4.3
> Distribution: RedHat 7.1
>
> When trying to break stuff, ltracing Maelstrom showed the following:
>
> fopen("/tmp/f", "w") = 0x08081f58
> fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
> fclose(0x08081f58) = 0
>
> Which made we wonder if it followed symbolic links, by doing
>
> [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \
> ln -s /tmp/bla f)
>
> at which point I ran it again, and when I did cat /tmp/bla, I got
>
> Main program = Maelstrom
>
> Conclusion:
> -=-=-=-=-=-
>
> You can overwrite arbitrary files with the permissions of the user who ran
> it.
>
> Of course, this won't work on systems that have linking restrictions in /tmp.
>
> Fixing it
> -=-=-=-=-
>
> Remove the code that does the above.
>
>
> --
> www.tasmail.com
>
>
>
>
>
