[3317] in bugtraq
[BUG] Vulnerability in TIN
daemon@ATHENA.MIT.EDU (Shyne-Song Chuang)
Tue Sep 3 01:43:31 1996
Date: Tue, 3 Sep 1996 10:16:56 +0800
Reply-To: Shyne-Song Chuang <Shyne-Song.Chuang@Singapore.Sun.COM>
From: Shyne-Song Chuang <Shyne-Song.Chuang@Singapore.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Hi everyone,
I am not sure if this is a known vulnerability, but the newsreader
tin also has a problem with mode 666 temp files. The standard distribution
creates /tmp/.tin_log by default, and can be abused to create any
file writable by the tin user. Existing files can be overwritten
and made world writable as long as this is so.
The tin user's account can similarly be compromised with the creation
of an .rhosts file as with other recent exploits of the same nature.
This bug is less convenient to exploit than the others since the log file
is created only by the first person to run tin before .tin_log exists.
Subsequent tin users are appended to this log file. It would therefore
take some guess work to determine who this first tin user would be. This
is perhaps easier to accomplish on a dedicated user workstation.
The opportunity to exploit tin would be after each reboot when /tmp is
cleared up.
This problem affects tin 1.2 PL1 and the current PL2 as well.
Here's the offensive source code:
joinpath (log_file, TMPDIR, LOG_USER_FILE);
if ((fp = fopen (log_file, "a+")) != (FILE *) 0) {
time (&epoch);
fprintf (fp, "%s%s: %-32s (%-8s) %s",
VERSION, PATCHLEVEL,
#ifdef M_AMIGA
get_val ("REALNAME", "Unknown"),
get_val ("USERNAME", "Unknown"),
#else
buf,
myentry->pw_name,
#endif
ctime (&epoch));
fclose (fp);
chmod (log_file, 0666);
}
Rgds,
Song
