The limit on the netbios name length must include the ../../../ as a part of the name, so you've blown 9 characters right there to get to the root dir. Otherwise you could get to /etc/crontab or something and the exploit would not require a symlink. So the file can be created remotely, but as for the symlink that requires local access. Of course you could try to point /tmp/x.log to ~personaldir/tmp/x.log which points to /etc/passwd, but that still won't work under the Openwall patch (just checked to make sure). - Simple Nomad - "No rest for the Wicca'd" - - thegnomeat_private - - - thegnomeat_private - www.nmrc.org razor.bindview.com - On Tue, 26 Jun 2001, Pavol Luptak wrote: > On Tue, Jun 26, 2001 at 09:53:29AM +0300, Jarno Huuskonen wrote: > > On Mon, Jun 25, Pavol Luptak wrote: > > > Linux kernels with openwall patch (with restricted links in /tmp) are > > > imunne to this type of attack (following symlinks does not work, link > > > owner does not match with file's owner). > > > > The symlink restrictions work only in /tmp (mode 1777) directories, so > > making the symlink in your own homedir still works (should work). > > Yes, the symlink does not have to be in /tmp, but you have to ensure > the path to your symlink in your own homedir is enough short to fill in > NetBIOS name (about 15 characters). > -- > _______________________________________________________________________ > [wilderat_private] [http://hq.alert.sk/~wilder] [talker: ttt.sk 5678] >
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 15:02:25 PDT