Bugtraq mailing list archives
Re: J-Pilot Permissions Vulnerability
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Fri, 15 Dec 2000 11:53:55 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Did you contct the vendor? I have Cc:'d him on this as you make no mention of it in your message. I can verify this, and moreover it appears as if J-Pilot uses the users umask: [rwm@ryan rwm]$ umask 002 [rwm@ryan rwm]$ ls -la .jpilot total 36 drwxrwxr-x 2 rwm rwm 4096 Dec 13 13:44 . drwxr-xr-x 100 rwm rwm 8192 Dec 14 16:49 .. - -rw-rw-r-- 1 rwm rwm 0 Dec 13 13:43 AddressDB.pc - -rw-rw-r-- 1 rwm rwm 719 Dec 13 13:43 AddressDB.pdb <... snip ...> So the vulnerabiltiy is futhermore amplified if they are group-writable and there is a malicious user in the same group. Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW Guardian Digital, Inc. ryan () guardiandigital com +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ On Thu, 14 Dec 2000, Weston Pawlowski wrote:
J-Pilot automatically creates a ".jpilot" directory in the user's home directory to store preferences and backed up PalmOS device data. The permissions for this directory are mode 755, and files in the directory are mode 644; this allows anyone with only minimal access to the user's home directory to also access thier PalmOS device's backup data, including private records. Because ".jpilot" is often hidden due to the leading '.', this insecurity is often unnoticed. This is a big concern for J-Pilot users because it is common for home directories to be world executable, often due to a "public_html" directory for HTTP content which requires the user's home directory to be at least world executable. So in summary, if there is a user named "joe" who uses J-Pilot, any user on the system could type "cd +AH4-joe/.jpilot" and read all of joe's PalmOS data including private records. This is dependant on joe's home directory being world executable or not, but it often is. The good news is that it's probably not very common for someone to sync their PalmOS device on a system that many, if any, other people have shell access to. But, if this situation does happen, the vulnerable user is likely to be the owner of the machine (since he has to be local), and there's the possibility that he may keep a password list on his PalmOS device. In which case, any user could get the system admin's passwords, which obviously may include the system's root password.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6OkylIwAIA9MpKWcRAu35AJ4xsIcqCOinasiIfUmPzDYhoYNemQCgygDo g3AY+i2XgSxyD3klslUoWxg= =s49c -----END PGP SIGNATURE-----
Current thread:
- J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 15)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Robert Bihlmeyer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Rich Lafferty (Dec 18)
- Re: J-Pilot Permissions Vulnerability Christopher Palmer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Christian (Dec 18)
- <Possible follow-ups>
- Re: J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 18)
- Re: J-Pilot Permissions Vulnerability Scott Nelson (Dec 20)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)