Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SVGATextMode 1.8 /tmp race
From: dumped () SEKURE ORG (dumped)
Date: Thu, 22 Oct 1998 12:34:22 -0200


On Thu, 21 Oct 1999, Adrian Voinea wrote:

Hello,
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
mode data in /tmp, in two files with the mode 644:

[/tmp]
root () Death# ls -lA
total 1
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/

[/tmp]
root () Death# savetextmode
svgalib: Using S3 driver (Trio64, 4096K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz

[/tmp]
root () Death# ls -lA
total 35
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
-rw-r--r--   1 root     gods        32768 Oct 21 22:56 fontdata
-rw-r--r--   1 root     gods          385 Oct 21 22:56 textregs

Also, I would like to add that savetextmode accepts no parameters.
So... any user on the system that knows that the root is using
SVGATextMode could link any of the files to a file that he wants to be
overwritten.
The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne () barco com 


diff -Nur svgalib-1.3.1.buggy/utils/savetextmode svgalib-1.3.1/utils/savetextmode
--- svgalib-1.3.1.buggy/utils/savetextmode      Sat Aug  2 03:37:15 1997
+++ svgalib-1.3.1/utils/savetextmode    Thu Oct 22 12:25:50 1998
@@ -1,3 +1,3 @@
 #!/bin/sh
-restoretextmode -w /tmp/textregs
-restorefont -w /tmp/fontdata
+restoretextmode -w `mktemp /tmp/textregs.XXXXXX`
+restorefont -w `mktemp /tmp/fontdata.XXXXXX`

Stupid.

dumped
http://www.sekure.org
Sekure/Uground Ind.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]