Bugtraq mailing list archives
Re: [linux-security] Pine security problem
From: dupuis () lei ucl ac be (Pascal A. Dupuis)
Date: Thu, 12 Sep 1996 09:41:45 +0200
On Tue, 10 Sep 1996, Liam O. Forbes wrote:
This is in regards to the "fix" of the possible security problem in Pine < v3.95. Pine 3.95 does indeed check for symbolic links, now, before
[...]
If you use the alternate editor feature, and a symbolic link exists with the desired name, the link isn't checked like the mail lock file is, and the editor dumps everything into the file pointed to by the symbolic link. This can lead to several possible security breaches via: 1. the ability to mangle a target file. 2. the ability to eavesdrop on composed messages. 3. (if you are really fancy) the ability to set up at least one bogus .rhosts entry by sending email to someone who responds to email by quoting entire files. There are probably several other things that can be done via this /tmp file problem (and have been).
I tried with my system, running Pine3.95 on Linux 2.0.18. A) I started composing a message, invoqued the alternate editor (with Linux and a french keyboard, the command is ^), ??? ). From another login name, I do : cd /tmp ln -s pico.pid hacker.tmp more hacker.tmp -> permission denied ! B) I started the other way : first, from the other login ln -s hacker.tmp pico.pid Then, start composing a message. Invoquing the alternate command resulted in the error message : "Problem creating pico temp file", and I was unable to use the alternate editor. On the Linux system, the /tmp/pico.pid file is created 600, owned by the Pine user. At first glance, this should be safe, isn't it ? Pascal A. Dupuis -- Information Science is emerging from the Prehistoric Ages, but its language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...
Current thread:
- Pine security problem Liam O. Forbes (Sep 10)
- Re: [linux-security] Pine security problem Pascal A. Dupuis (Sep 12)
- Re: [linux-security] Pine security problem Ranaur, the Elven Warlock! (Sep 12)
- <Possible follow-ups>
- Re: Pine security problem Vince L. Reed (Sep 10)
- Re: [linux-security] Pine security problem Pascal A. Dupuis (Sep 12)