lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040405090235.22278.qmail@www.securityfocus.com>
Date: 5 Apr 2004 09:02:35 -0000
From: Rene <l0om@...luded.org>
To: bugtraq@...urityfocus.com
Subject: SuSEs YaST Online Update - possible symlink attack




author:l0om - l0om[at]excluded.org - www.excluded.org 
date:05.04.2004 
product:SuSE 9.0 maybe lower 
 
possible symlink attack in SuSEs YOU [YaST Online 
Update] 
 
in SuSE linux you can use YOU to auto update your 
system. 
you can do this by YaST or by hand with the command 
"online_update". 
as a normal user you can check for updates with the 
options "-q" or "-k". 
By doing this "online_update" will do the follwing: 
creats a directory in /usr/tmp/you-$USER 
in this direcoty it will creat the files "cookies", 
"quickcheack" and "youservers" (furthermore 
it creats some directorys- nevermind...). 
it doesnt check for a allready existing directory 
called "you-$USER" or for files like "cookies" 
which may be there. 
 
an attacker could create a directory like "/usr/tmp/
you-asdf" and put a link 
there named "cookies" which points to a file in /
home/asdf he likes to overwrite. 
then he should set the directory permissions on 777 
otherwise the binary will fail to create files 
in /usr/tmp/asdf. 
now he have to get the user asdf to execute the "/
usr/bin/online_update" binary (maybe by mail or 
write) and the file will be overwritten. 
 
bye and have a lot of phun 
	l0om 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ