[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3D336984.7050607@bokeoa.com>
From: core at bokeoa.com (Charles 'core' Stevenson)
Subject: Sharutils buggy?
Actually it uses the full path.. at least on debian.. see previously
attached concept exploit. Of course I had to create a retarded mail
program that simply rand uudecode on the attachment. ;)
peace,
core
Roland Postle wrote:
> The problem seems to be that by default uudecode uses as the output filename
> the same filename used when the file was uuencoded. The fix is apparently to
> stop it following symbolic links. So an attacker couldn't uuencode with a
> filename that was in the /tmp directory. Then link the file in the tmp
> directory to whatever they wanted. My guess is you can't specify an absolute
> path (or ../) in the filename, and the assumption is that lots of people
> extract these files in the tmp directory where malicous symbolic links might
> reside.
>
> Regardless it's not a 'grave' security problem as some people have said. And
> no, Uuencode isn't (or shouldn't be) suid/sgid before you ask.
>
> - Blazde
>
> ----- Original Message -----
> From: "martin f krafft" <madduck@...duck.net>
> To: "full-disclosure people" <full-disclosure@...ts.netsys.com>
> Sent: Tuesday, July 16, 2002 12:24 AM
> Subject: [Full-Disclosure] Sharutils buggy?
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
Powered by blists - more mailing lists