Full Disclosure mailing list archives
Re: Symlink attack techniques
From: James Longstreet <jlongs2 () uic edu>
Date: Thu, 15 Dec 2005 18:14:51 -0600
On Dec 15, 2005, at 7:09 AM, Werner Schalk wrote:
Ok I should have been more precise in my previous mail. In this scenario Idon't have control over the output generated by the find command. So basically the cronjob is something like:15 4 * * 6 root /usr/bin/find /home/userA -type f -print > /tmp/ report.txtConsequently as userB I have no way of influencing what information is printedby the find command to /tmp/report.txt but I can surelycontrol /tmp/report.txt. Any other ideas of how to exploit this to gain rootaccess?
Since it doesn't seem like you can control what gets written to the file, you probably can't directly get root access from there. The output could have some ill effect if written to the correct file... hard to know without knowing what the output is.
Of course, as was already suggested, you can be malicious and destructive and destroy /etc/passwd (or any other file on the system), but I don't see right away how to gain root from that.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques Joachim Schipper (Dec 15)
- Re: Symlink attack techniques James Longstreet (Dec 15)
- Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
- Re: Symlink attack techniques Tim (Dec 15)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques H D Moore (Dec 14)