BRIEFING: tetex-0.4pl8 package (and previous ones) includes world-writable/readable database file, /usr/lib/texmf/texmf/ls-R. ls-R stores locations of TeX scripts to speed-up access. In trusted environment, user may add his own components, fonts, etc, and list them there. Otherwise this file seems to be mostly harmless, so ls-R database has mode 666 in standard TeX distributions. Hmmm, but it isn't quite harmless... One of paths listed in this file may be modified a little, and then TeX will read our evil script instead of original one... TeX language is quite powerful, so modified script may do almost anything with processed document, or even access files on victim's account: -- lame_example.ltx -- \begin{filecontents}{NotFunnyFile} Just An Useless Example \end{filecontents} -- eof -- EXPLOIT: Nothing at this time, there's no reason to write it. FIX: chmod 644 /usr/lib/texmf/texmf/ls-R, or, if possible, chattr to append-only. If you're unsure if your ld-R has been already modified - rebuild it. Note, ls-R is root-owned, so it's stupid to leave it world-writable, even in append-only mode - anyone may execute cp /dev/zero>>ls-R... _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:48 PDT