Bugtraq mailing list archives
/tmp race in Linux kernel source!
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Mon, 16 Mar 1998 02:20:37 +0100
Ok.. got all your attention there? It's not as bad as it looks ;) But there _is_ a /tmp race in /usr/src/linux/scripts/Configure, as used by make config (which is, IMHO, obsoleted by make menuconfig): if [ -f $DEFAULTS ]; then echo "#" echo "# Using defaults found in" $DEFAULTS echo "#" . $DEFAULTS sed -e 's/# \(.*\) is not.*/\1=n/' < $DEFAULTS > /tmp/conf.$$ . /tmp/conf.$$ rm /tmp/conf.$$ else File is created and sourced. What more could you wish? And to exploit you'll have from start of script to this point to catch it and create a fifo in /tmp. You know the rest (think GCC symlink exploit): get whatever it puts into the fifo and give it back with a little extra, like creating suid shell in /tmp. Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peter () attic vuurwerk nl ------------------------------------------------------------------------------ 2:08am up 1 day, 12:05, 6 users, load average: 1.10, 1.18, 1.17 ------------------------------------------------------------------------------
Current thread:
- /tmp race in Linux kernel source! Peter van Dijk (Mar 15)