| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <627B04AD-B5F1-4CDB-A189-E7FDE4A479D8@uic.edu> Date: Fri Dec 16 00:13:31 2005 From: jlongs2 at uic.edu (James Longstreet) Subject: Symlink attack techniques On Dec 15, 2005, at 7:09 AM, Werner Schalk wrote: > Ok I should have been more precise in my previous mail. In this > scenario I > don't have control over the output generated by the find command. So > basically the cronjob is something like: > > 15 4 * * 6 root /usr/bin/find /home/userA -type f -print > /tmp/ > report.txt > > Consequently as userB I have no way of influencing what information > is printed > by the find command to /tmp/report.txt but I can surely > control /tmp/report.txt. Any other ideas of how to exploit this to > gain root > access? Since it doesn't seem like you can control what gets written to the file, you probably can't directly get root access from there. The output could have some ill effect if written to the correct file... hard to know without knowing what the output is. Of course, as was already suggested, you can be malicious and destructive and destroy /etc/passwd (or any other file on the system), but I don't see right away how to gain root from that.
Powered by blists - more mailing lists