Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Symlink attack techniques

From: Werner Schalk <werner_schalk () gmx de>
Date: Wed, 14 Dec 2005 22:42:18 +0000
Hi,

I am currently doing a pentest and I was wondering whether you guys would know 
any symlink attack technique for the following scenario:

On a Unix system there is a cronjob set up which will use the find command to 
create some sort of report and output that report to a predictable file 
in /tmp. So basically the command in the crontab is something like:

15 4  * * 6     root    /usr/bin/find [command] > /tmp/report.txt

Due to the fact that I can't influence what is written to that file but 
link /tmp/report to a different file (e.g. /etc/passwd) I can cause some 
local disruption/problems I think. So my question now is: Is there any other 
way of executing code in this scenario? Can I use file descriptors with this?

Any input is greatly appreciated. Thank you. 

All the best,
Werner.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: