[17675] in bugtraq
Re: Joe's Own Editor File Link Vulnerability
daemon@ATHENA.MIT.EDU (John Madden)
Thu Nov 16 19:25:35 2000
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <0011161305300F.16925@weez>
Date: Thu, 16 Nov 2000 13:05:30 -0500
Reply-To: John Madden <weez@AVENIR.DHS.ORG>
From: John Madden <weez@AVENIR.DHS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <OFA37580A7.D534E0C8-ONC1256999.002E0BB0@wkit.se>
> VULNERABILITY EXAMPLE
> - - Root is logged in remote
> - - Malicious user (X) notices that root is editing file.txt in /tmp
> (where X has write permissions)
> - - X creates a link from /etc/passwd (root = write permission) to
> /tmp/DEADJOE
> - - Root's connection is dropped or terminated under abnormal conditions
> (for example: root halts the system) before file.txt is saved, the
> editor will write a rescue copy to /tmp/DEADJOE
Correction: joe creates DEADJOE in the present working directory, not
/tmp. root would have to be working in /tmp for this to work. Of course,
the link could be in /home/foouser to /etc/passwd, but that makes the
exploit a bit more difficult.
(Tested on slackware 7.0, default joe installation)
John
--
# John Madden weez@avenir.dhs.org ICQ: 2EB9EA
# UNIX Systems Engineer, Ivy Tech State College
# FreeLists, Free mailing lists for all: http://www.freelists.org
# Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org
# Linux, Apache, Perl and C: All the best things in life are free!
