Re: Acrobat reader 5.05 temp file insecurity

From: secfocusat_private
Date: Thu Jul 25 2002 - 06:33:35 PDT

Next message: TLR@portcullis-security.com: "VU#197395 Microsoft IIS SMTP encapsulated e-mail address vulnerability - update"

Previous message: Jeff Kell: "Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <200206242133.g5OLXgS78108at_private> <pszat_private (Paul Szabo)> wrote [...] >Acroread creates or overwrites the file /tmp/AdobeFnt06.lst.UID, and >changes its permissions to wide open (mode 666); it also follows >symlinks. The attack is obvious: > > ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID > >and wait for victim to use acroread; then we can write his .bashrc. Adobe claims to have fixed this in 5.06: README: | New for Acrobat Reader 5.0.6 | | A security patch was applied that solves the problem | reported in http://online.securityfocus.com/archive/1/278984 where | opening the font cache when the application starts up | can unintentionally cause the permissions of other | files to change. cu andreas

Next message: TLR@portcullis-security.com: "VU#197395 Microsoft IIS SMTP encapsulated e-mail address vulnerability - update"
Previous message: Jeff Kell: "Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 09:59:08 PDT