Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: lnx5492.htm

Acroread symlink vulnerability via /tmp
27th Jun 2002 [SBWID-5492]

	Acroread symlink vulnerability via /tmp


	Acrobat Reader version "x86 linux 5.0.5 Apr  25  2002  11:55:36"  (Other
	UNIX versions probably also affected.)


	Paul Szabo [] says :


	Acroread creates or overwrites  the  file  /tmp/AdobeFnt06.lst.UID,  and
	changes its permissions  to  wide  open  (mode  666);  it  also  follows
	symlinks. The attack is obvious:

	  ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID


	and wait for victim to use acroread; then we can write his .bashrc.



	 Patch (update 25 July 2002)



	Get Acrobat reader 5.06




	I use the following wrapper around acroread  (move  original  script  or
	binary to acroread.real, put this in its place). Use  TMPDIR,  but  also
	ensure file in /tmp is safe (in case writing in TMPDIR  fails  for  some
	reason: diskquota?). With file in /tmp, leaves no race with  the  open()
	in acroread, just a window of opportunity to mess with the data.

	#!/usr/bin/perl --


	$PROG = '/usr/share/Acrobat/505/bin/acroread.real';

	$TMPF = "/tmp/AdobeFnt06.lst.$<";

	$MYTD = "$ENV{'HOME'}/.acrobat";

	$MYTF = "$MYTD/AdobeFnt06.lst.$<";




	use Fcntl;


	sub checkfix {

	  my ($nam, $msg) = @_;

	  ($dev,$ino,$mode,$nlink,$uid,$gid,@rest) = lstat( $nam );

	  ( -f _ and ! -l _ and ! -d _ ) or die "$msg: $nam is not a file\n";

	  # BEWARE: on some systems, $gid comes from directory

	  ( $uid == $< and $gid == $( ) or die "$msg: $nam is not your own\n";

	  ( $nlink == 1 ) or die "$msg: $nam has hardlinks\n";

	  chmod( 0600, $nam ) or die "$msg: cannot chmod $nam\n";



	$< > 99 or die "No daemons\n";


	sysopen( F, $TMPF, O_RDWR|O_CREAT|O_EXCL, 0600 )

	  and close( F )

	  #and print "Pre-created $TMPF\n"



	mkdir( $MYTD, 0700 )

	  #and print "Pre-created $MYTD\n"


	sysopen( F, $MYTF, O_RDWR|O_CREAT|O_EXCL, 0600 )

	  and close( F )

	  #and print "Pre-created $MYTF\n"



	&checkfix( $TMPF, "Tricked" );

	&checkfix( $MYTF, "Tricked" );

	system( $PROG, @ARGV );

	&checkfix( $TMPF, "After acroread" );

	&checkfix( $MYTF, "After acroread" );




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH