| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: core at bokeoa.com (Charles 'core' Stevenson) Subject: Sharutils buggy? Actually it uses the full path.. at least on debian.. see previously attached concept exploit. Of course I had to create a retarded mail program that simply rand uudecode on the attachment. ;) peace, core Roland Postle wrote: > The problem seems to be that by default uudecode uses as the output filename > the same filename used when the file was uuencoded. The fix is apparently to > stop it following symbolic links. So an attacker couldn't uuencode with a > filename that was in the /tmp directory. Then link the file in the tmp > directory to whatever they wanted. My guess is you can't specify an absolute > path (or ../) in the filename, and the assumption is that lots of people > extract these files in the tmp directory where malicous symbolic links might > reside. > > Regardless it's not a 'grave' security problem as some people have said. And > no, Uuencode isn't (or shouldn't be) suid/sgid before you ask. > > - Blazde > > ----- Original Message ----- > From: "martin f krafft" <madduck@...duck.net> > To: "full-disclosure people" <full-disclosure@...ts.netsys.com> > Sent: Tuesday, July 16, 2002 12:24 AM > Subject: [Full-Disclosure] Sharutils buggy? > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > >
Powered by blists - more mailing lists