[26315] in bugtraq
Re: Acrobat reader 5.05 temp file insecurity
daemon@ATHENA.MIT.EDU (secfocus@downhill.at.eu.org)
Thu Jul 25 12:57:16 2002
Date: 25 Jul 2002 13:33:35 -0000
Message-ID: <20020725133335.20394.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <secfocus@downhill.at.eu.org>
To: bugtraq@securityfocus.com
In-Reply-To: <200206242133.g5OLXgS78108@milan.maths.usyd.edu.au>
<psz@maths.usyd.edu.au (Paul Szabo)> wrote
[...]
>Acroread creates or overwrites the file
/tmp/AdobeFnt06.lst.UID, and
>changes its permissions to wide open (mode 666); it
also follows
>symlinks. The attack is obvious:
>
> ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID
>
>and wait for victim to use acroread; then we can write
his .bashrc.
Adobe claims to have fixed this in 5.06:
README:
| New for Acrobat Reader 5.0.6
|
| A security patch was applied that solves the problem
| reported in
http://online.securityfocus.com/archive/1/278984 where
| opening the font cache when the application starts up
| can unintentionally cause the permissions of other
| files to change.
cu andreas
