[6136] in bugtraq
Fw: tetex-0.4pl8 world-writable database
daemon@ATHENA.MIT.EDU (=?UNKNOWN-8BIT?Q?Micha=B3?= Zalews)
Fri Feb 20 13:10:42 1998
Date: Fri, 20 Feb 1998 13:14:26 +0100
Reply-To: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
BRIEFING: tetex-0.4pl8 package (and previous ones) includes
world-writable/readable database file, /usr/lib/texmf/texmf/ls-R.
ls-R stores locations of TeX scripts to speed-up access. In trusted
environment, user may add his own components, fonts, etc, and list
them there. Otherwise this file seems to be mostly harmless, so
ls-R database has mode 666 in standard TeX distributions.
Hmmm, but it isn't quite harmless... One of paths listed in this file
may be modified a little, and then TeX will read our evil script instea=
d
of original one... TeX language is quite powerful, so modified script
may do almost anything with processed document, or even access files
on victim's account:
-- lame_example.ltx --
\begin{filecontents}{NotFunnyFile}
Just An Useless Example
\end{filecontents}
-- eof --
EXPLOIT: Nothing at this time, there's no reason to write it.
FIX: chmod 644 /usr/lib/texmf/texmf/ls-R, or, if possible, chattr to
append-only. If you're unsure if your ld-R has been already modified
- rebuild it. Note, ls-R is root-owned, so it's stupid to leave it
world-writable, even in append-only mode - anyone may execute
cp /dev/zero>>ls-R...
_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P=
. Deustch]
=3D--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] ----------------=
-=3D
