This is my first bugtraq message. I'm not sure how to put it together, but I'll try: word perfect creates a directory in tmp when you start it up: $ ls -ld wpc-zerium.newmedia.no/ drwxrwxrwx 2 hanspbie hanspbie 1024 Dec 15 18:59 wpc-your.host.name/ where your.host.name is your hostname. As you see every body has write permission to this directory. Word Perfect also creates some nice files: $ ls -al wpc-zerium.newmedia.no/ total 6 drwxrwxrwx 2 hanspbie hanspbie 1024 Dec 15 19:02 . drwxrwxrwt 5 root root 1024 Dec 15 19:00 .. -rw-rw-rw- 1 hanspbie hanspbie 324 Dec 15 18:59 /home/hanspbie/.rhosts -rw-rw-rw- 1 hanspbie hanspbie 0 Dec 15 18:59 _WP__0000001644a_ prw-rw-rw- 1 hanspbie hanspbie 0 Dec 15 18:59 excmsg7 -rw-rw-rw- 1 hanspbie hanspbie 146 Dec 15 18:56 unix.def -rw-rw-rw- 1 hanspbie hanspbie 40 Dec 15 18:56 wpprint.err -rw-rw-rw- 1 hanspbie hanspbie 65 Dec 15 18:56 wpq7_0 -rw-rw-rw- 1 hanspbie hanspbie 65 Dec 15 18:56 wpq7_65535 if you removes one of the files and creates a symlink to e.g. a word perfect users rhosts file it will make a .rhosts file with permission 666!! $ ls -l .wpexc7.man lrwxrwxrwx 1 weber weber 22 Dec 15 18:59 .wpexc7.man -> /home/hanspbie/.rhosts $ ls -la .rhosts -rw-rw-rw- 1 hanspbie hanspbie 324 Dec 15 18:59 /home/hanspbie/.rhosts word perfect doesn't touch permission if the file allready exists, but the file contents will be replaces with something like this: $ cat .rhosts your-path-to-WP7/shbin10/tmp/wpc-your.host.name/excmsg7m in.rlogind in Redhat v4.2 doesn't check permission on the .rhosts file. -- Linux; 64bit, multi-platform, multi-tasking, multi-user, fast and Free. UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:36:15 PDT