Date: Thu, 16 Nov 2000 13:05:30 -0500 From: John Madden <weez@AVENIR.DHS.ORG> Subject: Re: Joe's Own Editor File Link Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM > VULNERABILITY EXAMPLE > - - Root is logged in remote > - - Malicious user (X) notices that root is editing file.txt in /tmp > (where X has write permissions) > - - X creates a link from /etc/passwd (root = write permission) to > /tmp/DEADJOE > - - Root's connection is dropped or terminated under abnormal conditions > (for example: root halts the system) before file.txt is saved, the > editor will write a rescue copy to /tmp/DEADJOE Correction: joe creates DEADJOE in the present working directory, not /tmp. root would have to be working in /tmp for this to work. Of course, the link could be in /home/foouser to /etc/passwd, but that makes the exploit a bit more difficult. (Tested on slackware 7.0, default joe installation) John -- # John Madden weez@avenir.dhs.org ICQ: 2EB9EA # UNIX Systems Engineer, Ivy Tech State College # FreeLists, Free mailing lists for all: http://www.freelists.org # Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org # Linux, Apache, Perl and C: All the best things in life are free!