Re: Insecure use of file in /tmp by trn

Rogier Wolff (R.E.WolffBITWIZARD.NL)
Sat, 21 Aug 1999 17:47:37 +0200

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Georgi Guninski: "IE 5.0 allows executing programs"
• Previous message: Wakko Ellington Warner-Warner III: "Re: portmap.c Trojan"
• In reply to: goatkiller: "portmap.c Trojan"

Martin Schulze wrote:
> This was not intentional by the author, he tried to use tempfile(1) to
> create the temporary filename. However, due to a thinko, the name was
> hardcoded into the script.
[...]
> +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"

So now you're using tempfile? This usually yields an easily
predictable filename, for which the same exploits hold. Just keep an
eye out for the last PID issued, and OK, this time you might need to
flip a link (provided that tempfile indeed refuses to return a file
that is currently symlinked.)

                                        Roger.

--
** R.E.WolffBitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

• Next message: Georgi Guninski: "IE 5.0 allows executing programs"
• Previous message: Wakko Ellington Warner-Warner III: "Re: portmap.c Trojan"
• In reply to: goatkiller: "portmap.c Trojan"

This archive was generated by hypermail 2.0b3 on Sun Aug 22 1999 - 07:52:09 CDT