Bugtraq mailing list archives
A bug in Elm
From: fflush () SUCKAH ML ORG (fflush)
Date: Sun, 4 May 1997 11:52:05 -0400
Hi all, I ran into an Elm feature the other day which allows you to overwrite anyone's files (provided that certain conditions are met). When Elm is started, it creates /tmp/mbox.Mailbox, which is there only to tell it that a copy of Elm is running. When you go to "m)ail a message", two more files are created: /tmp/snd.PID and /tmp/est.PID, where PID is the PID of that Elm process. snd.PID is the tempfile where the actual message you're writing is stored, and est.PID contains some sort of temporary data. The problem lies in the fact that Elm doesn't check if these already exist, and the filenames are quite predictable. If you are so inclined, you could write a program to keep checking if people are starting Elm, and when someone does, make appropriate hard links, for example /tmp/est.PID -> /home/victim/important_file, and when the victim goes to compose a new message, his important_file will be trash. Another thing this can be used for is stealing the person's mail. If you hardlink /tmp/snd.PID to a world writable file owned by you, the message that the user writes will be written to it and elm wont have permission to remove it (since its owned by you), so you end up with the mail that the victim sent. Its possible to set up a daemon to grab ALL outgoing mail of a user, this way. Fix? Well, Elm should check for the existence of these temporary files before writing to them. If they are there, it should just give an error message and quit. But, then again, this would make it possible for people to deny everyone Elm service by simply touch-ing all the possible tempfile names in /tmp... anyway. The only version I tried this on is 2.4 PL24 (Linux), which I think is the latest one. If I've discovered an old bug, I apologize. fflush
Current thread:
- Re: Buffer Overflows: A Summary Bill Trost (May 01)
- Re: Buffer Overflows: A Summary Tommy Marcus McGuire (May 02)
- Re: Buffer Overflows: A Summary Gene Spafford (May 02)
- Windows NT 4.0 SAM hotfix Aleph One (May 02)
- Re: Buffer Overflows: A Summary Lamont Granquist (May 03)
- Solaris lpNet & temp files (exploit) Chris Sheldon (May 03)
- Re: Solaris lpNet & temp files (exploit) Casper Dik (May 07)
- A bug in Elm fflush (May 04)
- Re: A bug in Elm Larry Schwimmer (May 04)
- Hole in the KDE desktop Alan Cox (May 05)
- A vulnerability in Lynx (all versions) fflush (May 05)
- Re: A vulnerability in Lynx (all versions) Theo de Raadt (May 05)
- SGI Security Advisory 19970101-02-PX - csetup Program SGI Security Coordinator (May 05)
- Re: Buffer Overflows: A Summary Tommy Marcus McGuire (May 02)
- Re: Buffer Overflows: A Summary Thomas H. Ptacek (May 02)
- Comments on NT user list exploit webroot (May 05)
- Re: Buffer Overflows: A Summary Adam Shostack (May 05)
- Re: Buffer Overflows: A Summary Eilon Gishri (May 06)
- Administratrivia Aleph One (May 06)