Logfile symlink vulnerability
Eran Tromer
cygwinx2eran2eran@tromer.org
Mon Mar 22 00:24:00 GMT 2004
Harold L Hunt II wrote:
> With two distinct users, not in the same group, and with neither an
> administrator?
> What OS was this with? Were you using NTFS or FAT32?
> Please provide more details of your test.
Windows XP, NTFS drive. Two different users; the attacker is a
"restricted user", the victim is an administrator. The attacker runs
"ln -s /home/victim/foo /tmp/XWin.log" and then the victim runs "XWin
badarg" and beholds his ~/foo being overwritten.
> I just don't see how you could overwrite a file at all if you don't
> have premission on the underlying filesystem...
All the attacker user does is create /tmp/XWin.log as a symbolic link.
It's the victim which performs the actual damage, by following the
symbolic link to one of its *own* files and overwriting it. The only
permissions involved are /tmp being world-writable (it doesn't even
matter that /tmp had the sticky bit, if /tmp/XWin.log didn't exist
beforehand).
It's really a classical Unix security pitfall that occurs whenever you
write to files in world-writable directories. It has to be dealt with at
the application level, either by being careful about existing files or
by using atomically generated unique filenames.
Eran
More information about the Cygwin-xfree
mailing list