Full Disclosure mailing list archives

Re: Symlink attack techniques

From: Werner Schalk <werner_schalk () gmx de>
Date: Thu, 15 Dec 2005 13:09:49 +0000

Hi,

thanks for all the replies, I really appreciate this.

Assuming that the find command will report a directory or file that you
control, you can use the symlink to overwrite a shell script, and then
place shell commands into your file name:


Ok I should have been more precise in my previous mail. In this scenario I 
don't have control over the output generated by the find command. So 
basically the cronjob is something like:

15 4  * * 6  root  /usr/bin/find /home/userA -type f -print > /tmp/report.txt

Consequently as userB I have no way of influencing what information is printed 
by the find command to /tmp/report.txt but I can surely 
control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
access?

Thank you very very much.

All the best,
Werner.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
  - Re: Symlink attack techniques Werner Schalk (Dec 15)
    - Re: Symlink attack techniques Joachim Schipper (Dec 15)
    - Re: Symlink attack techniques James Longstreet (Dec 15)
    - Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
    - Re: Symlink attack techniques Tim (Dec 15)