Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: pico-1.htm

Pico 3.7 symlink attack



Vulnerability

    pico

Affected

    pico 3.7

Description

    Following is  based on  a Wkit  Security Avisory  WSIR-00/11-02 by
    Christer Oberg and  Patrik Birgersson.    Upon abnormal exit,  the
    text editor saves any changes made to the file being edited into a
    new file  in the  current working  directory labeled filename.save
    (where filename  will correspond  to the  name of  the file  being
    edited,  e.g.  test.txt  will  be  saved  as test.txt.save).  When
    saving this  file, the  text editor  does not  check for  the file
    type.  A  user editing a  file in a  directory writable by  others
    could be subject to having  other files written to if  a malicious
    user were to symbollically link  the filename.save file to one  of
    owner/group write access  of the user.   This would result  in the
    contents of  the pico  session being  written to  the symbolically
    linked file.

    Conditions:
    1. The malicious user must have write permissions in the directory
       where the file is being edited, in order to create a link.
    2. The 'victim user' must  have write permissions for the  'victim
       file'.
    3. The 'victim user' pico session must terminate abnormally.
    4. The file being edited must not have been saved

    Vulnerability example:

        * Root is logged in remote
        * Malicious user (foo)  notices that root is  editing file.txt
          in /tmp (where foo has write permissions)
        * foo creates a link from /etc/passwd (root = write permission)
          to /tmp/filename.save
        * Root's  connection is  dropped or  terminated under abnormal
          conditions  (for  example:  root  halts  the  system) before
          file.txt is saved,  the editor will  write a rescue  copy to
          /tmp/ filename.save
        * The editor won't check if /tmp/ filename.save is a link, and
          overwrites /etc/passwd with the content of file.txt.

Solution

    No information available.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH