wkit.joe.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
TITLE: Joe's Own Editor File Link Vulnerability  
ADVISORY ID: WSIR-00/11-01  
CONTACT: Patrik Birgersson, Wkit Security AB  
CLASS: File Handling Error  
OBJECT: joe(1) (exec)  
VENDOR: Josef H. Allen  
STATUS: Vendor not reachable  
REMOTE: No  
LOCAL: Yes  
DATE: 13/11/2000  
VULNERABLE: Joe's Own Editor 2.8  
Other versions/configurations not tested  
  
  
VULNERABILITY DESCRIPTION  
If a joe session with an unsaved file terminates abnormally, joe creates a  
rescue copy of the file being edited called DEADJOE. The creation of this  
rescue copy is made without checking if the file is a link. If it is a  
link, joe will append the information in the unsaved file to the file that  
is being linked to DEADJOE, resulting in a corrupted file.  
  
  
CONDITIONS  
1. The malicious user must have write permissions in the directory where  
the file is being edited, in order to create a link  
2. The 'victim user' must have write permissions for the 'victim file'  
3. The 'victim user' joe session must terminate abnormally  
4. The file being edited must not have been saved  
  
  
VULNERABILITY EXAMPLE  
- - Root is logged in remote  
- - Malicious user (X) notices that root is editing file.txt in /tmp  
(where X has write permissions)  
- - X creates a link from /etc/passwd (root = write permission) to  
/tmp/DEADJOE  
- - Root's connection is dropped or terminated under abnormal conditions  
(for example: root halts the system) before file.txt is saved, the  
editor will write a rescue copy to /tmp/DEADJOE  
- - The editor won't check if /tmp/DEADJOE is a link, and appends the  
content of file.txt to /etc/passwd  
  
  
SOLUTION/VENDOR INFORMATION/WORKAROUND  
No information available.  
  
  
CREDITS  
This vulnerability was discovered and documented by Christer Öberg and  
Patrik Birgersson of Wkit Security AB, Håverud, Sweden.  
  
Other advisories from Wkit Security AB can be obtained from:  
http://www.wkit.com/advisories/  
  
  
DISCLAMER  
The contents of this advisory is copyright (c) 2000 Wkit Security AB and  
may be distributed freely, provided that no fee is charged and proper  
credit is given. Wkit Security AB takes no credit for this discovery if  
someone else has published this information in the public domain before  
this advisory was released.  
The information herein is intended for educational purposes, not for  
malicious use. Wkit Security AB takes no responsibility whatsoever for the  
use of this information.  
  
  
ABOUT THE COMPANY  
Wkit Security AB is an independent data security company working with  
security-related services and products. Wkit Security AB plays a leading  
role in the development of security thinking, regarding internal and  
external data communication at companies and other organizations that  
store sensitive information.  
The company consists of two divisions: a service division, performing  
security analysis and security reviews, and a product division. We work  
together with strategic partners to bring programs and services into the  
market.  
Our services and products are continuously developed to optimally follow  
the world demand for IT security.  
  
  
30 DAY DISCLOSURE  
Whenever Wkit Security AB finds any security related flaws in operating  
system, or application, we will provide the vendor responsible for the  
product with a detailed Incident Report. We believe that 30 days is  
appropriate for the vendor to fix the problem before we publish the  
incident report on our own web page and other mailing lists/websites we  
find suitable for the majority of the worldwide users. If the vendor has a  
reasonable cause why they can't fix the problem in 30 days we can, after  
discussion, agree on a longer disclosure time.  
  
  
ACKNOWLEDGEMENTS  
Wkit Security AB's highest priority is for the public security, and will  
never release Incidents Reports without informing the vendor and give them  
reasonable (30 day) time to fix the problem. In general, Wkit Security AB  
follows the guidelines for reporting security breaches we found on the  
vendors homepage or similar.  
We urge vendors that in the same way we follow their guidelines, that the  
vendor informs us about the solution; if possible, 2 days before the  
fix/solution will be presented for the majority. This gives us the chance  
to prepare our web page to inform about the Incident and to present a  
solution in the way the vendor suggest at the time when it is present for  
the majority.  
  
  
CONTACT  
Wkit Security AB should be contacted through [email protected] if no  
other agreement has been done. Every incident report is assigned a report  
number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one  
responsible contact person from Wkit Security. When communicating with  
Wkit Security AB in the matter of the Incident Reports, be sure to add the  
WSIR number in the email to avoid any problems.  
  
  
***************************************************************************  
Wkit Security AB  
Upperudsvägen 4  
S-464 72 Håverud  
SWEDEN  
  
http://www.wkit.com  
e-mail: [email protected]  
***************************************************************************  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 7.0  
  
iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/  
lhge4y3XCAroyWUA004N/acM  
=LYU/  
-----END PGP SIGNATURE-----  
  
`