Full Disclosure mailing list archives

Re: Symlink attack techniques

From: James Longstreet <jlongs2 () uic edu>
Date: Thu, 15 Dec 2005 18:14:51 -0600


On Dec 15, 2005, at 7:09 AM, Werner Schalk wrote:

Ok I should have been more precise in my previous mail. In thisscenario I
don't have control over the output generated by the find command. So
basically the cronjob is something like:
15 4 * * 6 root /usr/bin/find /home/userA -type f -print > /tmp/report.txt
Consequently as userB I have no way of influencing what informationis printed
by the find command to /tmp/report.txt but I can surely
control /tmp/report.txt. Any other ideas of how to exploit this togain root
access?

Since it doesn't seem like you can control what gets written to thefile, you probably can't directly get root access from there. Theoutput could have some ill effect if written to the correct file...hard to know without knowing what the output is.

Of course, as was already suggested, you can be malicious anddestructive and destroy /etc/passwd (or any other file on thesystem), but I don't see right away how to gain root from that.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
  - Re: Symlink attack techniques Werner Schalk (Dec 15)
    - Re: Symlink attack techniques Joachim Schipper (Dec 15)
    - Re: Symlink attack techniques James Longstreet (Dec 15)
    - Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
    - Re: Symlink attack techniques Tim (Dec 15)