Bugtraq mailing list archives

Re: Joe's Own Editor File Link Vulnerability

From: John Madden <weez () AVENIR DHS ORG>
Date: Thu, 16 Nov 2000 13:05:30 -0500

VULNERABILITY EXAMPLE
- - Root is logged in remote
- - Malicious user (X) notices that root is editing file.txt in /tmp
  (where X has write permissions)
- - X creates a link from /etc/passwd (root = write permission) to
  /tmp/DEADJOE
- - Root's connection is dropped or terminated under abnormal conditions
  (for example: root halts the system) before file.txt is saved, the
  editor will write a rescue copy to /tmp/DEADJOE


Correction: joe creates DEADJOE in the present working directory, not
/tmp.  root would have to be working in /tmp for this to work.  Of course,
the link could be in /home/foouser to /etc/passwd, but that makes the
exploit a bit more difficult.

(Tested on slackware 7.0, default joe installation)

John





--
# John Madden  weez () avenir dhs org ICQ: 2EB9EA
# UNIX Systems Engineer, Ivy Tech State College
# FreeLists, Free mailing lists for all: http://www.freelists.org
# Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org
# Linux, Apache, Perl and C: All the best things in life are free!

Current thread:

Joe's Own Editor File Link Vulnerability advisories (Nov 17)
- Re: Joe's Own Editor File Link Vulnerability John Madden (Nov 17)