Full Disclosure mailing list archives

Re: Symlink attack techniques

From: Tim <tim-security () sentinelchicken org>
Date: Thu, 15 Dec 2005 19:44:24 -0500

Ok I should have been more precise in my previous mail. In this scenario I 
don't have control over the output generated by the find command. So 
basically the cronjob is something like:

15 4 ?* * 6 ?root ?/usr/bin/find /home/userA -type f -print > /tmp/report.txt

Consequently as userB I have no way of influencing what information is printed 
by the find command to /tmp/report.txt but I can surely 
control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
access?


hmmmm, as userB, you do have a way to influence userA's files.  It's
staring you right in the face.

Symlink /tmp/report to a malicious filename under /home/userA, much like
H D Moore suggested.

Then, before the next cronjob runs, re-symlink it to a script that will
execute your command.

Never tried something like that, but with enough hackery, it seems like
it could work.

good luck,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
  - Re: Symlink attack techniques Werner Schalk (Dec 15)
    - Re: Symlink attack techniques Joachim Schipper (Dec 15)
    - Re: Symlink attack techniques James Longstreet (Dec 15)
    - Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
    - Re: Symlink attack techniques Tim (Dec 15)