[18103] in bugtraq
Re: J-Pilot Permissions Vulnerability
daemon@ATHENA.MIT.EDU (Ryan W. Maple)
Fri Dec 15 17:13:36 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10012151151440.29307-100000@mastermind.inside.guardiandigital.com>
Date: Fri, 15 Dec 2000 11:53:55 -0500
Reply-To: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
From: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
X-To: Weston Pawlowski <bug@WESTON.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001214082122.19994.qmail@securityfocus.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Did you contct the vendor? I have Cc:'d him on this as you make no
mention of it in your message.
I can verify this, and moreover it appears as if J-Pilot uses the users
umask:
[rwm@ryan rwm]$ umask
002
[rwm@ryan rwm]$ ls -la .jpilot
total 36
drwxrwxr-x 2 rwm rwm 4096 Dec 13 13:44 .
drwxr-xr-x 100 rwm rwm 8192 Dec 14 16:49 ..
- -rw-rw-r-- 1 rwm rwm 0 Dec 13 13:43 AddressDB.pc
- -rw-rw-r-- 1 rwm rwm 719 Dec 13 13:43 AddressDB.pdb
<... snip ...>
So the vulnerabiltiy is futhermore amplified if they are group-writable
and there is a malicious user in the same group.
Cheers,
Ryan
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW
Guardian Digital, Inc. ryan@guardiandigital.com
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
On Thu, 14 Dec 2000, Weston Pawlowski wrote:
> J-Pilot automatically creates a ".jpilot"
> directory in the user's home directory to store
> preferences and backed up PalmOS device data. The
> permissions for this directory are mode 755, and
> files in the directory are mode 644; this allows
> anyone with only minimal access to the user's home
> directory to also access thier PalmOS device's
> backup data, including private records.
>
> Because ".jpilot" is often hidden due to the
> leading '.', this insecurity is often unnoticed.
> This is a big concern for J-Pilot users because it
> is common for home directories to be world
> executable, often due to a "public_html" directory
> for HTTP content which requires the user's home
> directory to be at least world executable.
>
> So in summary, if there is a user named "joe" who
> uses J-Pilot, any user on the system could type
> "cd +AH4-joe/.jpilot" and read all of joe's PalmOS
> data including private records. This is dependant
> on joe's home directory being world executable or
> not, but it often is.
>
> The good news is that it's probably not very
> common for someone to sync their PalmOS device on
> a system that many, if any, other people have
> shell access to. But, if this situation does
> happen, the vulnerable user is likely to be the
> owner of the machine (since he has to be local),
> and there's the possibility that he may keep a
> password list on his PalmOS device. In which case,
> any user could get the system admin's passwords,
> which obviously may include the system's root
> password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6OkylIwAIA9MpKWcRAu35AJ4xsIcqCOinasiIfUmPzDYhoYNemQCgygDo
g3AY+i2XgSxyD3klslUoWxg=
=s49c
-----END PGP SIGNATURE-----
