Bugtraq mailing list archives

Re: Insecure use of file in /tmp by trn

From: R.E.Wolff () BITWIZARD NL (Rogier Wolff)
Date: Sat, 21 Aug 1999 17:47:37 +0200


Martin Schulze wrote:

This was not intentional by the author, he tried to use tempfile(1) to
create the temporary filename.  However, due to a thinko, the name was
hardcoded into the script.

[...]

+#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"


So now you're using tempfile? This usually yields an easily
predictable filename, for which the same exploits hold. Just keep an
eye out for the last PID issued, and OK, this time you might need to
flip a link (provided that tempfile indeed refuses to return a file
that is currently symlinked.)

                                        Roger.

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

Current thread:

Re: Internet Auditing Project, (continued)
- - Re: Internet Auditing Project Peter J. Holzer (Aug 17)
  - [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)

(Thread continues...)