5737639 2000-11-16 09:27 +0100 /141 rader/ <advisories@WKIT.COM>
Importerad: 2000-11-16 20:15 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: advisories@WKIT.COM
Mottagare: Bugtraq (import) <13768>
Ärende: Joe's Own Editor File Link Vulnerability
------------------------------------------------------------
From: advisories@WKIT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <OFA37580A7.D534E0C8-ONC1256999.002E0BB0@wkit.se>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TITLE: Joe's Own Editor File Link Vulnerability
ADVISORY ID: WSIR-00/11-01
CONTACT: Patrik Birgersson, Wkit Security AB
CLASS: File Handling Error
OBJECT: joe(1) (exec)
VENDOR: Josef H. Allen
STATUS: Vendor not reachable
REMOTE: No
LOCAL: Yes
DATE: 13/11/2000
VULNERABLE: Joe's Own Editor 2.8
Other versions/configurations not tested
VULNERABILITY DESCRIPTION If a joe session with an unsaved file
terminates abnormally, joe creates a rescue copy of the file being
edited called DEADJOE. The creation of this rescue copy is made
without checking if the file is a link. If it is a link, joe will
append the information in the unsaved file to the file that is being
linked to DEADJOE, resulting in a corrupted file.
CONDITIONS 1. The malicious user must have write permissions in the
directory where
the file is being edited, in order to create a link
2. The 'victim user' must have write permissions for the 'victim file'
3. The 'victim user' joe session must terminate abnormally
4. The file being edited must not have been saved
VULNERABILITY EXAMPLE
- - Root is logged in remote
- - Malicious user (X) notices that root is editing file.txt in /tmp
(where X has write permissions)
- - X creates a link from /etc/passwd (root = write permission) to
/tmp/DEADJOE
- - Root's connection is dropped or terminated under abnormal conditions
(for example: root halts the system) before file.txt is saved, the
editor will write a rescue copy to /tmp/DEADJOE
- - The editor won't check if /tmp/DEADJOE is a link, and appends the
content of file.txt to /etc/passwd
SOLUTION/VENDOR INFORMATION/WORKAROUND
No information available.
CREDITS
This vulnerability was discovered and documented by Christer Öberg and
Patrik Birgersson of Wkit Security AB, Håverud, Sweden.
Other advisories from Wkit Security AB can be obtained from:
http://www.wkit.com/advisories/
DISCLAMER The contents of this advisory is copyright (c) 2000 Wkit
Security AB and may be distributed freely, provided that no fee is
charged and proper credit is given. Wkit Security AB takes no credit
for this discovery if someone else has published this information in
the public domain before this advisory was released. The information
herein is intended for educational purposes, not for malicious
use. Wkit Security AB takes no responsibility whatsoever for the use
of this information.
ABOUT THE COMPANY Wkit Security AB is an independent data security
company working with security-related services and products. Wkit
Security AB plays a leading role in the development of security
thinking, regarding internal and external data communication at
companies and other organizations that store sensitive information.
The company consists of two divisions: a service division, performing
security analysis and security reviews, and a product division. We
work together with strategic partners to bring programs and services
into the market. Our services and products are continuously
developed to optimally follow the world demand for IT security.
30 DAY DISCLOSURE Whenever Wkit Security AB finds any security
related flaws in operating system, or application, we will provide
the vendor responsible for the product with a detailed Incident
Report. We believe that 30 days is appropriate for the vendor to fix
the problem before we publish the incident report on our own web page
and other mailing lists/websites we find suitable for the majority of
the worldwide users. If the vendor has a reasonable cause why they
can't fix the problem in 30 days we can, after discussion, agree on a
longer disclosure time.
ACKNOWLEDGEMENTS Wkit Security AB's highest priority is for the
public security, and will never release Incidents Reports without
informing the vendor and give them reasonable (30 day) time to fix
the problem. In general, Wkit Security AB follows the guidelines for
reporting security breaches we found on the vendors homepage or
similar. We urge vendors that in the same way we follow their
guidelines, that the vendor informs us about the solution; if
possible, 2 days before the fix/solution will be presented for the
majority. This gives us the chance to prepare our web page to inform
about the Incident and to present a solution in the way the vendor
suggest at the time when it is present for the majority.
CONTACT Wkit Security AB should be contacted through
advisories@wkit.com if no other agreement has been done. Every
incident report is assigned a report number WSIR-xx/xx-xx (Wkit
Security AB Incident Report) and one responsible contact person from
Wkit Security. When communicating with Wkit Security AB in the matter
of the Incident Reports, be sure to add the WSIR number in the email
to avoid any problems.
***************************************************************************
Wkit Security AB Upperudsvägen 4 S-464 72 Håverud SWEDEN
http://www.wkit.com e-mail: advisories@wkit.com
***************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/
lhge4y3XCAroyWUA004N/acM
=LYU/
-----END PGP SIGNATURE-----
(5737639) --------------------------------(Ombruten)
Kommentar i text 5738405 av John Madden <weez@AVENIR.DHS.ORG>
5738405 2000-11-16 13:05 -0500 /35 rader/ John Madden <weez@AVENIR.DHS.ORG>
Importerad: 2000-11-17 00:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: weez@AVENIR.DHS.ORG
Mottagare: Bugtraq (import) <13773>
Kommentar till text 5737639 av <advisories@WKIT.COM>
Ärende: Re: Joe's Own Editor File Link Vulnerability
------------------------------------------------------------
From: John Madden <weez@AVENIR.DHS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <0011161305300F.16925@weez>
> VULNERABILITY EXAMPLE
> - - Root is logged in remote
> - - Malicious user (X) notices that root is editing file.txt in /tmp
> (where X has write permissions)
> - - X creates a link from /etc/passwd (root = write permission) to
> /tmp/DEADJOE
> - - Root's connection is dropped or terminated under abnormal conditions
> (for example: root halts the system) before file.txt is saved, the
> editor will write a rescue copy to /tmp/DEADJOE
Correction: joe creates DEADJOE in the present working directory, not
/tmp. root would have to be working in /tmp for this to work. Of
course, the link could be in /home/foouser to /etc/passwd, but that
makes the exploit a bit more difficult.
(Tested on slackware 7.0, default joe installation)
John
--
# John Madden weez@avenir.dhs.org ICQ: 2EB9EA
# UNIX Systems Engineer, Ivy Tech State College
# FreeLists, Free mailing lists for all: http://www.freelists.org
# Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org
# Linux, Apache, Perl and C: All the best things in life are free!
(5738405) --------------------------------(Ombruten)