Logfile symlink vulnerability
Harold L Hunt II
huntharo@msu.edu
Mon Mar 22 00:18:00 GMT 2004
Eran Tromer wrote:
> Harold L Hunt II wrote:
>
>>Eran Tromer wrote:
>>
>>>If /tmp/XWin.log is a symlink, XWin will merrily follow it and write
>>>to whatever it's pointing to (see LogInit() in os/log.c). This allows
>>>standard symlink-following attacks.
>>
>>In theory, but have you actually tried it and confirmed that it works
>>with two different users that did not already both have permissions to
>>overwrite the file in question?
>
>
> Yes, I did verify it.
With two distinct users, not in the same group, and with neither an
administrator?
I just don't see how you could overwrite a file at all if you don't have
premission on the underlying filesystem... what OS was this with? Were
you using NTFS or FAT32? FAT32 could explain things... in which a user
could overwrite a file anyway since FAT32 doesn't provide security, so
protecting for this in XWin.exe would be pointless.
Please provide more details of your test.
Harold
More information about the Cygwin-xfree
mailing list