|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Insecure use of file in /tmp by trn
Martin Schulze (joey
FINLANDIA.INFODROM.NORTH.DE)
Mon, 23 Aug 1999 10:35:21 +0200
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Hargett, Matt: "Re: DCOM attack against NT using VB6"
- Previous message: Patrick Cantwell: "Re: OCE' 9400 plotters"
- In reply to: Larry W. Cashdollar: "OCE' 9400 plotters"
- Next in thread: Ben Pfaff: "Re: Insecure use of file in /tmp by trn"
Rogier Wolff wrote:
> > > > This was not intentional by the author, he tried to use tempfile(1) to
> > > > create the temporary filename. However, due to a thinko, the name was
> > > > hardcoded into the script.
> > > [...]
> > > > +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
> > >
> > > So now you're using tempfile? This usually yields an easily
> >
> > No, but now we're using tempfile in a proper way. In the original source
> > code it was used like:
> >
> > NNTPactive=`tempfile -p active`
>
> This is what I meant. You've made it just a teeny bit harder to exploit,
> but the same expoit is still there.
>
> 10 years ago, this solution would've been adequate. Nowadays everbody
> should know that this is very hard to get right. Mover the "bad guys"
> already have the exploit programs ready.
>
> Creating a tempfile from a C program is possible since we have a
> mkstmp call. It is sufficiently tricky that I wouldn't dare
I'm sorry, but I don't understand. tempfile is a C program that creates
a tempfile.
DESCRIPTION
tempfile creates a temporary file in a safe manner. It
uses tempnam(3) to choose the name and opens it with
O_RDWR | O_CREAT | O_EXCL. The filename is printed on
standard output.
> replicating the functionality myself. Creating a private directory in
> /tmp and putting the tempfiles in there might be the only solution for
> shell scripts.
In which case you only make things more difficult to exploit, since such
a directory would be guessable as well as a tempfilename would, same for
the file inside of it.
Regards,
Joey
-- Whenever you meet yourself you're in a time loop or in front of a mirror.
- Next message: Hargett, Matt: "Re: DCOM attack against NT using VB6"
- Previous message: Patrick Cantwell: "Re: OCE' 9400 plotters"
- In reply to: Larry W. Cashdollar: "OCE' 9400 plotters"
- Next in thread: Ben Pfaff: "Re: Insecure use of file in /tmp by trn"
This archive was generated by hypermail 2.0b3 on Wed Aug 25 1999 - 20:09:10 CDT