[18024] in bugtraq
Re: [hacksware]Pine temporary file hijacking vulnerability
daemon@ATHENA.MIT.EDU (Peter W)
Tue Dec 12 16:16:21 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012111508510.25236-100000@localhost>
Date: Mon, 11 Dec 2000 15:24:15 -0500
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
X-To: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0012111741270.7292-100000@ivntech.com>
At 5:43pm Dec 11, 2000, JW Oh wrote:
> pine creates it's temporary in in /tmp directory with names like
> /tmp/pico.007292(where 7292 is the pid of pine process running).
>
> You can simply symlink this file(/tmp/pico.<pid>) to another file
> that doesn't exist.
> When victim is editing message victim editor vi follows symlinks and
> creates another file.
> By removing this symlink and creating your own temporary file and
> making it writable to victim, you can hijack his mail message.
I tried this on my box, and couldn't get the same result. I suspect this
is because I have TMP and TMPDIR environment variables set. Using 'strace'
I can see Pine work with temp files in the directory specified by TMP and
TMPDIR. So, once again, TMP/TMPDIR trump the /tmp default.
Sure, it would be nice if all apps were safe in their use of temp files.
It would be nice if there was an easy, portable way to ensure safe temp
file operations (mkstemp()?) but in the meantime, don't panic. Set safe
values for TMP and TMPDIR and Pine behaves well.
See http://www.securityfocus.com/archive/1/144002 for a TMP/TMPDIR script.
-Peter
Congrats to JJB and Fede; you know what for. ;-)
Happy Lucia Day (almost) to the G clan worldwide.
