Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [linux-security] Pine security problem
From: dupuis () lei ucl ac be (Pascal A. Dupuis)
Date: Thu, 12 Sep 1996 09:41:45 +0200


On Tue, 10 Sep 1996, Liam O. Forbes wrote:

This is in regards to the "fix" of the possible security problem in
Pine < v3.95.  Pine 3.95 does indeed check for symbolic links, now, before
[...]
If you use the alternate editor feature, and a symbolic link exists with the
desired name, the link isn't checked like the mail lock file is, and the editor
dumps everything into the file pointed to by the symbolic link.  This can lead
to several possible security breaches via:
  1.  the ability to mangle a target file.
  2.  the ability to eavesdrop on composed messages.
  3.  (if you are really fancy) the ability to set up at least one bogus
      .rhosts entry by sending email to someone who responds to email by
      quoting entire files.
There are probably several other things that can be done via this /tmp file
problem (and have been).

I tried with my system, running Pine3.95 on Linux 2.0.18.
A) I started composing a message, invoqued the alternate editor (with
Linux and a french keyboard, the command is ^), ??? ). From another login
name, I do :
  cd /tmp
  ln -s pico.pid hacker.tmp
  more hacker.tmp -> permission denied !
B) I started the other way :
  first, from the other login
  ln -s hacker.tmp pico.pid
Then, start composing a message. Invoquing the alternate command resulted
in the error message : "Problem creating pico temp file", and I was unable
to use the alternate editor.
On the Linux system, the /tmp/pico.pid file is created 600, owned by the
Pine user. At first glance, this should be safe, isn't it ?

Pascal A. Dupuis

--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]