Full Disclosure mailing list archives
Sharutils buggy?
From: full-disclosure () lists netsys com (Roland Postle)
Date: Tue, 16 Jul 2002 01:20:31 +0100
The problem seems to be that by default uudecode uses as the output filename the same filename used when the file was uuencoded. The fix is apparently to stop it following symbolic links. So an attacker couldn't uuencode with a filename that was in the /tmp directory. Then link the file in the tmp directory to whatever they wanted. My guess is you can't specify an absolute path (or ../) in the filename, and the assumption is that lots of people extract these files in the tmp directory where malicous symbolic links might reside. Regardless it's not a 'grave' security problem as some people have said. And no, Uuencode isn't (or shouldn't be) suid/sgid before you ask. - Blazde ----- Original Message ----- From: "martin f krafft" <madduck () madduck net> To: "full-disclosure people" <full-disclosure () lists netsys com> Sent: Tuesday, July 16, 2002 12:24 AM Subject: [Full-disclosure] Sharutils buggy?
Current thread:
- Sharutils buggy? martin f krafft (Jul 15)
- Sharutils buggy? Roland Postle (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? KF (Jul 15)
- Sharutils buggy? KF (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? Roland Postle (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 16)