Bugtraq mailing list archives
CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary
From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Sat, 1 Jan 1994 23:09:09 +0100
plaguez security advisory n. 7 admin-v1.2 vulnerabilities Program: the admin-v1.2 package, a system administration tool. Version: current (v1.2) older ones. OS: verified on Linux, maybe others too. Problem: temporary files / symlinks Impact: any file on an affected system can be overwritten, regardless of access permissions. hello, this week, I'll focus on a little sysadmin tool called admin-v1.2 (found on Sunsite: system/Admin/), and I'll show how several little vulnerabilities can be exploited to trash any file on an affected system. as always, sorry if it's known stuff. Description: ------------ Several vulnerabilities exist in the admin-v1.2 package, an interactive system managment tool by Emmett Sauer and Linux Business Systems. By exploiting those vulnerabilities, local users can erase arbitrary files on the system, regardless of access permissions. admin-v1.2 does not properly handle temporary files. It writes user menu choices and more to temporary files in the /tmp directory. These files are named using the syntax /tmp/name.$$, some do not even use the $$ suffix. Unfortunatly, admin-v1.2 does not check if these files exist and will follow symlinks. It is then possible to overwrite any file on the system. An attacker could for example link any of these temporary files to /etc/passwd or /.rhosts and wait for the administrator to use admin-v1.2. The target file would be erased or trashed with random data. It may also be possible to use admin-v1.2 to gain root privileges, though I did not manage to do it. Fix: ---- Remove the admin-v1.2 package. well, that's it for this week. Next week, next hole ! :) --------------------------- plaguez dube0866 () eurobretagne fr http://plaguez.insomnia.org --------------------------- _Free_ security probes, Unix programming. ps.: the above url courtesy of TheFloyd.
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)