BRIEFING: tetex-0.4pl8 package (and previous ones) includes
world-writable/readable database file, /usr/lib/texmf/texmf/ls-R.
ls-R stores locations of TeX scripts to speed-up access. In trusted
environment, user may add his own components, fonts, etc, and list
them there. Otherwise this file seems to be mostly harmless, so
ls-R database has mode 666 in standard TeX distributions.
Hmmm, but it isn't quite harmless... One of paths listed in this file
may be modified a little, and then TeX will read our evil script instead
of original one... TeX language is quite powerful, so modified script
may do almost anything with processed document, or even access files
on victim's account:
-- lame_example.ltx --
\begin{filecontents}{NotFunnyFile}
Just An Useless Example
\end{filecontents}
-- eof --
EXPLOIT: Nothing at this time, there's no reason to write it.
FIX: chmod 644 /usr/lib/texmf/texmf/ls-R, or, if possible, chattr to
append-only. If you're unsure if your ld-R has been already modified
- rebuild it. Note, ls-R is root-owned, so it's stupid to leave it
world-writable, even in append-only mode - anyone may execute
cp /dev/zero>>ls-R...
_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:48 PDT