Bugtraq mailing list archives
Re: [hacksware]Pine temporary file hijacking vulnerability
From: Peter W <peterw () USA NET>
Date: Mon, 11 Dec 2000 15:24:15 -0500
At 5:43pm Dec 11, 2000, JW Oh wrote:
pine creates it's temporary in in /tmp directory with names like /tmp/pico.007292(where 7292 is the pid of pine process running). You can simply symlink this file(/tmp/pico.<pid>) to another file that doesn't exist. When victim is editing message victim editor vi follows symlinks and creates another file. By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message.
I tried this on my box, and couldn't get the same result. I suspect this is because I have TMP and TMPDIR environment variables set. Using 'strace' I can see Pine work with temp files in the directory specified by TMP and TMPDIR. So, once again, TMP/TMPDIR trump the /tmp default. Sure, it would be nice if all apps were safe in their use of temp files. It would be nice if there was an easy, portable way to ensure safe temp file operations (mkstemp()?) but in the meantime, don't panic. Set safe values for TMP and TMPDIR and Pine behaves well. See http://www.securityfocus.com/archive/1/144002 for a TMP/TMPDIR script. -Peter Congrats to JJB and Fede; you know what for. ;-) Happy Lucia Day (almost) to the G clan worldwide.
Current thread:
- Re: where user temp files should go, env var names, (continued)
- Re: where user temp files should go, env var names Peter W (Dec 14)
- Re: where user temp files should go, env var names Andrzej Chabierski (Dec 16)
- Re: where user temp files should go, env var names Valdis Kletnieks (Dec 18)
- Re: where user temp files should go, env var names Aaron Drew (Dec 18)
- Re: where user temp files should go, env var names Mike A. Harris (Dec 19)
- Re: where user temp files should go, env var names Nick Phillips (Dec 21)
- Re: where user temp files should go, env var names Peter J . Holzer (Dec 21)
- Re: where user temp files should go, env var names Doug Wyatt (Dec 21)
- Message not available
- Re: where user temp files should go, env var names Jay R. Ashworth (Dec 21)
- Re: where user temp files should go, env var names Peter W (Dec 14)
- Re: [hacksware]Pine temporary file hijacking vulnerability Christopher X. Candreva (Dec 14)