ID PACKETSTORM:89561 Type packetstorm Reporter Paul Szabo Modified 2010-05-15T00:00:00

Description

`"If you're doing anything technical, think Mathematica --..."
http://www.wolfram.com/products/mathematica/index.html
Mathematica7 on Linux uses the /tmp/MathLink directory in insecure ways.
Mathematica creates or re-uses an existing /tmp/MathLink directory, and
overwrites files within and follows symlinks. This type of behaviour is
"known unsafe" on multi-user machines e.g. University login servers.
As a classic example of a symlink attack, if an "attacker" uses:
mkdir /tmp/MathLink; ln -s /home/victim/.bashrc /tmp/MathLink/.gshmm
then when the victim runs Mathematica his ~/.bashrc will be clobbered.
New files are created world-writable, allowing a complete compromise of
the user account by linking to ~/.bash_logout . (If root ever uses
Mathematica then the damage is greater.)
Mathematica uses also /tmp/fonts$$.conf in insecure ways.
Workaround: use command-line math instead of pretty interface.
Notified support@wolfram.com on 7 May 2010, was assigned [TS 16194].
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
`

{"id": "PACKETSTORM:89561", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Mathematica Symlink Attack", "description": "", "published": "2010-05-15T00:00:00", "modified": "2010-05-15T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/89561/Mathematica-Symlink-Attack.html", "reporter": "Paul Szabo", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:19:12", "viewCount": 4, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:19:12", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:19:12", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/89561/mathematica-symlink.txt", "sourceData": "`\"If you're doing anything technical, think Mathematica --...\" \nhttp://www.wolfram.com/products/mathematica/index.html \n \nMathematica7 on Linux uses the /tmp/MathLink directory in insecure ways. \nMathematica creates or re-uses an existing /tmp/MathLink directory, and \noverwrites files within and follows symlinks. This type of behaviour is \n\"known unsafe\" on multi-user machines e.g. University login servers. \nAs a classic example of a symlink attack, if an \"attacker\" uses: \n \nmkdir /tmp/MathLink; ln -s /home/victim/.bashrc /tmp/MathLink/.gshmm \n \nthen when the victim runs Mathematica his ~/.bashrc will be clobbered. \nNew files are created world-writable, allowing a complete compromise of \nthe user account by linking to ~/.bash_logout . (If root ever uses \nMathematica then the damage is greater.) \n \nMathematica uses also /tmp/fonts$$.conf in insecure ways. \n \nWorkaround: use command-line math instead of pretty interface. \n \nNotified support@wolfram.com on 7 May 2010, was assigned [TS 16194]. \n \nCheers, \n \nPaul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ \nSchool of Mathematics and Statistics University of Sydney Australia \n`\n", "immutableFields": []}