This is the mail archive of the cygwin-xfree@cygwin.com mailing list for the Cygwin XFree86 project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Logfile symlink vulnerability

From: Eran Tromer <cygwinx2eran2eran at tromer dot org>
To: cygwin-xfree at cygwin dot com
Date: Mon, 22 Mar 2004 01:49:54 +0200
Subject: Re: Logfile symlink vulnerability
Reply-to: cygwin-xfree at cygwin dot com

Harold L Hunt II wrote:

> With two distinct users, not in the same group, and with neither an
> administrator?
> What OS was this with? Were you using NTFS or FAT32?
> Please provide more details of your test.

Windows XP, NTFS drive. Two different users; the attacker is a
"restricted user", the victim is an administrator. The attacker runs
"ln -s /home/victim/foo /tmp/XWin.log" and then the victim runs "XWin
badarg" and beholds his ~/foo being overwritten.

> I just don't see how you could overwrite a file at all if you don't
> have premission on the underlying filesystem...

All the attacker user does is create /tmp/XWin.log as a symbolic link.
It's the victim which performs the actual damage, by following the
symbolic link to one of its *own* files and overwriting it. The only
permissions involved are /tmp being world-writable (it doesn't even
matter that /tmp had the sticky bit, if /tmp/XWin.log didn't exist
beforehand).

It's really a classical Unix security pitfall that occurs whenever you
write to files in world-writable directories. It has to be dealt with at
the application level, either by being careful about existing files or
by using atomically generated unique filenames.

  Eran

Follow-Ups:
- Re: Logfile symlink vulnerability
  - From: Takuma Murakami

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]