Bugtraq mailing list archives

Re: Acrobat reader 5.05 temp file insecurity

From: <secfocus () downhill at eu org>
Date: 25 Jul 2002 13:33:35 -0000

In-Reply-To: <200206242133.g5OLXgS78108 () milan maths usyd edu au>

<psz () maths usyd edu au (Paul Szabo)> wrote
[...]

Acroread creates or overwrites the file

/tmp/AdobeFnt06.lst.UID, and

changes its permissions to wide open (mode 666); it

also follows

symlinks. The attack is obvious:

 ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID

and wait for victim to use acroread; then we can write

his .bashrc.

Adobe claims to have fixed this in 5.06:
README:
| New for Acrobat Reader 5.0.6
|
| A security patch was applied that solves the problem
| reported in
http://online.securityfocus.com/archive/1/278984 where
| opening the font cache when the application starts up
| can unintentionally cause the permissions of other
| files to change.
              cu andreas

Current thread:

Re: Acrobat reader 5.05 temp file insecurity Paul Szabo (Jul 04)
- <Possible follow-ups>
- Re: Acrobat reader 5.05 temp file insecurity secfocus (Jul 25)