| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <416BC5AA.9020307@g-house.de> From: evil at g-house.de (Christian Kujau) Subject: unarj dir-transversal bug (../../../..) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Umphress wrote: >>...somehow i don't expect programs to mess with /usr. not as a user and >>not as root. > > I just picked /usr, it could have been /etc, /var or any other > standard directory that every *nix distribution has. Regardless, if I > try to make unarj write to a directory that I don't have the > neccessary permissions for, it asks me to pick an alternate location > to extract to. yes, but this is the point! when i happen to unarj a package with the unarj version you have as user "root", then unarj *will* have the permission to overwrite /etc or whatever. it won't kindly ask but just overwrite, or does it? (you've shown unarj in action with sudo when test.txt was non-existant). - -- BOFH excuse #290: The CPU has shifted, and become decentralized. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBa8Wq+A7rjkF8z0wRAvOIAKDDIeYg5kMmda/6vR1sfgXORSGW7wCg2Fwg jkJFk76Fgb7nDCDvAk+HrkY= =v0l8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists