Bugtraq mailing list archives
Re: Insecure use of file in /tmp by trn
From: R.E.Wolff () BITWIZARD NL (Rogier Wolff)
Date: Mon, 23 Aug 1999 08:49:24 +0200
Martin Schulze wrote:
Rogier Wolff wrote:Martin Schulze wrote:This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script.[...]+#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"So now you're using tempfile? This usually yields an easilyNo, but now we're using tempfile in a proper way. In the original source code it was used like: NNTPactive=`tempfile -p active`
This is what I meant. You've made it just a teeny bit harder to exploit, but the same expoit is still there. 10 years ago, this solution would've been adequate. Nowadays everbody should know that this is very hard to get right. Mover the "bad guys" already have the exploit programs ready. Creating a tempfile from a C program is possible since we have a mkstmp call. It is sufficiently tricky that I wouldn't dare replicating the functionality myself. Creating a private directory in /tmp and putting the tempfiles in there might be the only solution for shell scripts. Roger. -- ** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* ------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
Current thread:
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 22)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 23)
- <Possible follow-ups>
- Re: Insecure use of file in /tmp by trn Richard Kettlewell (Aug 23)
- Re: Insecure use of file in /tmp by trn Ben Pfaff (Aug 24)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 29)
- WU-FTPD Security Update Thomas Biege (Aug 29)
- Re: Insecure use of file in /tmp by trn Luca Berra (Aug 30)
- Re: Insecure use of file in /tmp by trn Shuman (Aug 28)
- Re: Insecure use of file in /tmp by trn Todd C. Miller (Aug 30)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 28)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)
(Thread continues...)