Full Disclosure mailing list archives

Sharutils buggy?

From: full-disclosure () lists netsys com (Charles 'core' Stevenson)
Date: Mon, 15 Jul 2002 18:32:04 -0600

Actually it uses the full path.. at least on debian.. see previously 
attached concept exploit. Of course I had to create a retarded mail 
program that simply rand uudecode on the attachment. ;)

peace,
core

Roland Postle wrote:

The problem seems to be that by default uudecode uses as the output filename
the same filename used when the file was uuencoded. The fix is apparently to
stop it following symbolic links. So an attacker couldn't uuencode with a
filename that was in the /tmp directory. Then link the file in the tmp
directory to whatever they wanted. My guess is you can't specify an absolute
path (or ../) in the filename, and the assumption is that lots of people
extract these files in the tmp directory where malicous symbolic links might
reside.

Regardless it's not a 'grave' security problem as some people have said. And
no, Uuencode isn't (or shouldn't be) suid/sgid before you ask.

- Blazde

----- Original Message -----
From: "martin f krafft" <madduck () madduck net>
To: "full-disclosure people" <full-disclosure () lists netsys com>
Sent: Tuesday, July 16, 2002 12:24 AM
Subject: [Full-disclosure] Sharutils buggy?



_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure

Current thread:

Sharutils buggy? martin f krafft (Jul 15)
- Sharutils buggy? Roland Postle (Jul 15)
  - Sharutils buggy? Charles 'core' Stevenson (Jul 15)
- Sharutils buggy? Charles 'core' Stevenson (Jul 15)
  - Sharutils buggy? Charles 'core' Stevenson (Jul 15)
    - Sharutils buggy? Charles 'core' Stevenson (Jul 15)
    - Sharutils buggy? KF (Jul 15)
    - Sharutils buggy? KF (Jul 15)
- Sharutils buggy? Peter Bieringer (Jul 16)
  - Sharutils buggy? Charles 'core' Stevenson (Jul 16)