Bugtraq mailing list archives
xterm log file vulnerability
From: terra () DIKU DK (Morten Welinder)
Date: Tue, 29 Feb 2000 17:39:25 +0100
It used to be Well Known that xterm's way of opening a log file was insecure. Well, that was 5+ years ago so I decided to take a look at the current state of affairs. Things have changed, but mostly to "different" rather than "better". Problem: when log files are enabled, they are created in the following way (checking in XFree86 3.3.6 source; matches Solaris binaries) and are subject to race conditions: 1. File is checked for existance using access. 2. If file does not exist, it is created in a subprocess using user's real uid/gid. [ok] 3. File is checked for existance using access. 4. File is checked for write permission using access. 5. File is opened O_WRONLY | O_APPEND. [plonk] A little symlink magic between 4 and 5 and you have write access to any file if your xterm is setuid/setgid. General attack idea: ls -lL `which xterm` # If not setuid/setgid, you are safe touch dummy symlink-flipflop link dummy /.rhosts xterm -l -lf link -e echo + + Moral: access() is totally useless for security purposes. Use it only as a means of providing better error messages (as it might not be easy to get an error message out from a subprocess). Morten
Current thread:
- SSH & xauth Brian Caswell (Feb 24)
- Re: SSH & xauth Andrey (Feb 25)
- Re: SSH & xauth David Terrell (Feb 25)
- Re: SSH & xauth Robert Watson (Feb 25)
- Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
- Re: SSH & xauth Robert Watson (Feb 28)
- xterm log file vulnerability Morten Welinder (Feb 29)
- false alarms by real secure Danton Nunes (Feb 29)
- New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- <Possible follow-ups>
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
- Serv-U FTP-Server v2.4a showing real path Berk Ulsoy (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)
- Re: SSH & xauth Niels Provos (Feb 28)
- Re: SSH & xauth Theo de Raadt (Feb 27)
(Thread continues...)