Re: Maelstrom 1.4.3 abartity file overwrite

[Chris Gragsone <maetrics () realwarp net>]

You should also note that Maelstrom doesnt check the return on fopen(), 
nor does it remove the file when it closes.  If you have multiple users 
who run Maelstrom, or just someone who wants to break stuff.  If the 
/tmp/f is owned by another user, or the permissions are set to 
nonwritable.  Maelstrom will segfault when it passes 0 as the file 
stream to fprintf().

--chris

Andrew Griffiths wrote:

> Program: Maelstrom
> Version: 1.4.3
> Distribution: RedHat 7.1
>
> When trying to break stuff, ltracing Maelstrom showed the following:
>
> fopen("/tmp/f", "w")                              = 0x08081f58
> fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
> fclose(0x08081f58)                                = 0
>
> Which made we wonder if it followed symbolic links, by doing
>
> [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >  /tmp/bla; \
> ln -s /tmp/bla f)
>
> at which point I ran it again, and when I did cat /tmp/bla, I got
>
> Main program = Maelstrom
>
> Conclusion:
> -=-=-=-=-=-
>
> You can overwrite arbitrary files with the permissions of the user who ran
> it.
>
> Of course, this won't work on systems that have linking restrictions in /tmp.
>
> Fixing it
> -=-=-=-=-
>
> Remove the code that does the above.
>
>
> --
> www.tasmail.com