Bugtraq mailing list archives
Fw: tetex-0.4pl8 world-writable database
From: lcamtuf () BOSS STASZIC WAW PL (Micha? Zalewski)
Date: Fri, 20 Feb 1998 13:14:26 +0100
BRIEFING: tetex-0.4pl8 package (and previous ones) includes world-writable/readable database file, /usr/lib/texmf/texmf/ls-R. ls-R stores locations of TeX scripts to speed-up access. In trusted environment, user may add his own components, fonts, etc, and list them there. Otherwise this file seems to be mostly harmless, so ls-R database has mode 666 in standard TeX distributions. Hmmm, but it isn't quite harmless... One of paths listed in this file may be modified a little, and then TeX will read our evil script instead of original one... TeX language is quite powerful, so modified script may do almost anything with processed document, or even access files on victim's account: -- lame_example.ltx -- \begin{filecontents}{NotFunnyFile} Just An Useless Example \end{filecontents} -- eof -- EXPLOIT: Nothing at this time, there's no reason to write it. FIX: chmod 644 /usr/lib/texmf/texmf/ls-R, or, if possible, chattr to append-only. If you're unsure if your ld-R has been already modified - rebuild it. Note, ls-R is root-owned, so it's stupid to leave it world-writable, even in append-only mode - anyone may execute cp /dev/zero>>ls-R... _______________________________________________________________________ Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Current thread:
- Fw: tetex-0.4pl8 world-writable database Micha? Zalewski (Feb 20)
- Re: Fw: tetex-0.4pl8 world-writable database Marcin Cieslak (Feb 20)
- Pipe attack - an example Micha? Zalewski (Feb 20)
- cfs-1.4.0beta2 root exploitable bug ther (Feb 20)
- WinGate DoS Matt Carothers (Feb 21)
- Quick update on Radius bug Phillip R. Jaenke (Feb 21)
- Workaround for radius bug Phillip R. Jaenke (Feb 21)
- Re: cfs-1.4.0beta2 root exploitable bug ther (Feb 21)
- resource starvation against passwd(1) Antonomasia (Feb 22)
- RADIUS (Summary) Aleph One (Feb 22)
- Re: RADIUS (Summary) Dave Stewart (Feb 22)
(Thread continues...)