Re: Insecure use of file in /tmp by trn

From: Rogier Wolff (R.E.Wolffat_private)
Date: Sat Aug 21 1999 - 08:47:37 PDT

Next message: Georgi Guninski: "IE 5.0 allows executing programs"

Previous message: Wakko Ellington Warner-Warner III: "Re: portmap.c Trojan"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Rogier Wolff: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Martin Schulze wrote:
> This was not intentional by the author, he tried to use tempfile(1) to
> create the temporary filename.  However, due to a thinko, the name was
> hardcoded into the script.
[...]
> +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"

So now you're using tempfile? This usually yields an easily
predictable filename, for which the same exploits hold. Just keep an
eye out for the last PID issued, and OK, this time you might need to
flip a link (provided that tempfile indeed refuses to return a file
that is currently symlinked.)

					Roger.

--
** R.E.Wolffat_private ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

Next message: Georgi Guninski: "IE 5.0 allows executing programs"
Previous message: Wakko Ellington Warner-Warner III: "Re: portmap.c Trojan"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Rogier Wolff: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:55 PDT