[18107] in bugtraq
Re: J-Pilot Permissions Vulnerability
daemon@ATHENA.MIT.EDU (Judd Montgomery)
Fri Dec 15 17:27:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A3A5450.CC1FA961@engineer.com>
Date: Fri, 15 Dec 2000 12:26:40 -0500
Reply-To: Judd Montgomery <judd@ENGINEER.COM>
From: Judd Montgomery <judd@ENGINEER.COM>
X-To: "Ryan W. Maple" <ryan@guardiandigital.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
J-Pilot has always used the pre set umask when creating directories and
files, therefore I have never considered this to be a security risk. It
is up to the system administrator or the user to set the umask to
his/her liking. Setting the umask to something vulnerable is a general
system administration security risk and not a risk caused by the
applications that read it and abide by it. This is how I have been
taught, however with the rise of easy to use Linux distros and the
amount of new users it may be wiser to have the default file permission
be safer than the umask suggests.
If someone can point me to an article, book, or something that changes
my mind I would be happy to change this.
Judd
"Ryan W. Maple" wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Did you contct the vendor? I have Cc:'d him on this as you make no
> mention of it in your message.
>
> I can verify this, and moreover it appears as if J-Pilot uses the users
> umask:
>
> [rwm@ryan rwm]$ umask
> 002
> [rwm@ryan rwm]$ ls -la .jpilot
> total 36
> drwxrwxr-x 2 rwm rwm 4096 Dec 13 13:44 .
> drwxr-xr-x 100 rwm rwm 8192 Dec 14 16:49 ..
> - -rw-rw-r-- 1 rwm rwm 0 Dec 13 13:43 AddressDB.pc
> - -rw-rw-r-- 1 rwm rwm 719 Dec 13 13:43 AddressDB.pdb
> <... snip ...>
>
> So the vulnerabiltiy is futhermore amplified if they are group-writable
> and there is a malicious user in the same group.
>
> Cheers,
> Ryan
>
> +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
> Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW
> Guardian Digital, Inc. ryan@guardiandigital.com
> +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
>
> On Thu, 14 Dec 2000, Weston Pawlowski wrote:
>
> > J-Pilot automatically creates a ".jpilot"
> > directory in the user's home directory to store
> > preferences and backed up PalmOS device data. The
> > permissions for this directory are mode 755, and
> > files in the directory are mode 644; this allows
> > anyone with only minimal access to the user's home
> > directory to also access thier PalmOS device's
> > backup data, including private records.
> >
> > Because ".jpilot" is often hidden due to the
> > leading '.', this insecurity is often unnoticed.
> > This is a big concern for J-Pilot users because it
> > is common for home directories to be world
> > executable, often due to a "public_html" directory
> > for HTTP content which requires the user's home
> > directory to be at least world executable.
> >
> > So in summary, if there is a user named "joe" who
> > uses J-Pilot, any user on the system could type
> > "cd +AH4-joe/.jpilot" and read all of joe's PalmOS
> > data including private records. This is dependant
> > on joe's home directory being world executable or
> > not, but it often is.
> >
> > The good news is that it's probably not very
> > common for someone to sync their PalmOS device on
> > a system that many, if any, other people have
> > shell access to. But, if this situation does
> > happen, the vulnerable user is likely to be the
> > owner of the machine (since he has to be local),
> > and there's the possibility that he may keep a
> > password list on his PalmOS device. In which case,
> > any user could get the system admin's passwords,
> > which obviously may include the system's root
> > password.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE6OkylIwAIA9MpKWcRAu35AJ4xsIcqCOinasiIfUmPzDYhoYNemQCgygDo
> g3AY+i2XgSxyD3klslUoWxg=
> =s49c
> -----END PGP SIGNATURE-----
