[3342] in bugtraq
Re: [linux-security] Pine security problem
daemon@ATHENA.MIT.EDU (Pascal A. Dupuis)
Thu Sep 12 18:55:47 1996
Date: Thu, 12 Sep 1996 09:41:45 +0200
Reply-To: "Pascal A. Dupuis" <dupuis@lei.ucl.ac.be>
From: "Pascal A. Dupuis" <dupuis@lei.ucl.ac.be>
X-To: "Liam O. Forbes" <lforbes@arsc.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SGI.3.91.960910172225.5546A-100000@weinhard.arsc.edu>
On Tue, 10 Sep 1996, Liam O. Forbes wrote:
> This is in regards to the "fix" of the possible security problem in
> Pine < v3.95. Pine 3.95 does indeed check for symbolic links, now, before
[...]
> If you use the alternate editor feature, and a symbolic link exists with the
> desired name, the link isn't checked like the mail lock file is, and the editor
> dumps everything into the file pointed to by the symbolic link. This can lead
> to several possible security breaches via:
> 1. the ability to mangle a target file.
> 2. the ability to eavesdrop on composed messages.
> 3. (if you are really fancy) the ability to set up at least one bogus
> .rhosts entry by sending email to someone who responds to email by
> quoting entire files.
> There are probably several other things that can be done via this /tmp file
> problem (and have been).
>
I tried with my system, running Pine3.95 on Linux 2.0.18.
A) I started composing a message, invoqued the alternate editor (with
Linux and a french keyboard, the command is ^), ??? ). From another login
name, I do :
cd /tmp
ln -s pico.pid hacker.tmp
more hacker.tmp -> permission denied !
B) I started the other way :
first, from the other login
ln -s hacker.tmp pico.pid
Then, start composing a message. Invoquing the alternate command resulted
in the error message : "Problem creating pico temp file", and I was unable
to use the alternate editor.
On the Linux system, the /tmp/pico.pid file is created 600, owned by the
Pine user. At first glance, this should be safe, isn't it ?
Pascal A. Dupuis
--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...
