Bugtraq mailing list archives
Re: Joe's Own Editor File Link Vulnerability
From: John Madden <weez () AVENIR DHS ORG>
Date: Thu, 16 Nov 2000 13:05:30 -0500
VULNERABILITY EXAMPLE - - Root is logged in remote - - Malicious user (X) notices that root is editing file.txt in /tmp (where X has write permissions) - - X creates a link from /etc/passwd (root = write permission) to /tmp/DEADJOE - - Root's connection is dropped or terminated under abnormal conditions (for example: root halts the system) before file.txt is saved, the editor will write a rescue copy to /tmp/DEADJOE
Correction: joe creates DEADJOE in the present working directory, not /tmp. root would have to be working in /tmp for this to work. Of course, the link could be in /home/foouser to /etc/passwd, but that makes the exploit a bit more difficult. (Tested on slackware 7.0, default joe installation) John -- # John Madden weez () avenir dhs org ICQ: 2EB9EA # UNIX Systems Engineer, Ivy Tech State College # FreeLists, Free mailing lists for all: http://www.freelists.org # Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org # Linux, Apache, Perl and C: All the best things in life are free!
Current thread:
- Joe's Own Editor File Link Vulnerability advisories (Nov 17)
- Re: Joe's Own Editor File Link Vulnerability John Madden (Nov 17)