Bugtraq mailing list archives
Re: Security problem in Slackware.
From: peter () attic vuurwerk nl (Peter van Dijk)
Date: Fri, 13 Mar 1998 16:34:58 +0100
On Wed, 11 Mar 1998, Suman_Saraf wrote:
Hi, I just found out that the setup program in slackware creates a file called hdtest in /tmp without checking for its existence. So a malicious user could just create a symlink to any root owned file and it will get fucked up when the administrator runs setup. In my case I just created a symlink to /etc/passwd and when I exit the setup the file contains only "EXIT" :-) Lemme know if something has been done about it already.
I have Slackware 3.4 (the newest) and I've been following the ChangeLog on ftp.cdrom.com. It only lists a fix for a bug I submitted (imapd/ipop3d coredump). [root@koek] /tmp# nd test [root@koek] /tmp/test# echo "root owns this file" > rootfile [root@koek] /tmp/test# cat rootfile root owns this file [root@koek] /tmp/test# ls -al rootfile -rw-r--r-- 1 root root 20 Mar 13 16:21 rootfile [peter@koek] /tmp$ ln -sf test/rootfile hdset [root@koek] /tmp/test# setup [peter@koek] /tmp$ ls -al test/rootfile -rw-r--r-- 1 root root 4 Mar 13 16:23 test/rootfile [peter@koek] /tmp$ cat test/rootfile EXIT[peter@koek] /tmp$ So, it does still work. Another thing that might be interesting are the /tmp/SeT* files. setup creates them while running (starting with rm -f /tmp/Set*). But while setup is running you should be able to create some symlinks, like some kind of race. Only this time, you're racing a human ;) Another file that can be exploited is /tmp/slackdir, which records which directory should be the root of the slackware filesystem. Very unlikely to be used, but worth noting. pkgtool does things like this in: /tmp/{reply,viewscr,return,tmpmsg,rmscript,wdrive,sets,pkgdir,mntans,tagfile, skip} and all kinds of /tmp/SeT* (which it cleans up when starting, like setup does). The best fix for this would be to let all these programs use their own tmp-dir, because they're going to be run as root anyway. Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peter () attic vuurwerk nl ------------------------------------------------------------------------------ 4:19pm up 18:48, 4 users, load average: 0.00, 0.02, 0.00 ------------------------------------------------------------------------------
Current thread:
- New OpenBSD security web page, (continued)
- New OpenBSD security web page Theo de Raadt (Mar 06)
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)