7663126 2001-12-13 00:02 +0100 /64 rader/ Marco van Berkum <m.v.berkum@obit.nl> Sänt av: joel@lysator.liu.se Importerad: 2001-12-13 07:37 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: m.v.berkum@obit.nl Mottagare: Bugtraq (import) <20122> Ärende: Silly 'script' hardlink bug ------------------------------------------------------------ From: Marco van Berkum <m.v.berkum@obit.nl> To: bugtraq@securityfocus.com Message-ID: <3C17E20C.5692DA23@obit.nl> Hi, I found this, small bug, you might like it :) tested on a slackware linux. /* ------------------------------------------------------- Title: Silly hardlink vulnerability in 'script' command Software Author: yet unknown Bug found by: Marco van Berkum (m.v.berkum@obit.nl) Date: 12-12-2001 Priority: low ------------------------------------------------------- Script command -------------- The script command which is part of the util-linux package contains a silly hardlink vulnerability which could overwrite any file on the harddisk. Script is a tool to save terminal sessions for later reference. By default script creates a file called typescript for its log. The problem ----------- Very simple, script (when executed as root) overwrites hardlinks that could be set by any user to any file on the harddisk. For instance, a malicious user can place a hardlink 'typescript' to /etc/passwd (or any other file) in his home directory. If the root user would execute script in that directory it would cause script to overwrite that file. Script does check for symlinks and asks if the symlink should be overwritten, it lacks checking hardlinks. Priority -------- Low, its not likely that root users execute script in a user's home directory. They could though, its a minor problem that must be fixed for that reason. Author ------ Still looking for the correct person */ just my 2 cents, Marco van Berkum -- GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w--- O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D---- G++ e- h+ r y* +---------------------+------------------+-------------------+ | Marco van Berkum | MB17300-RIPE | Security Engineer | | http://ws.obit.nl | "Chernobyl used | Network Admin | | m.v.berkum@obit.nl | Windows" | UNIX | +---------------------+------------------+-------------------+ (7663126) /Marco van Berkum <m.v.berkum@obit.nl>/--- Kommentar i text 7667018 av Michael Shigorin <mike@lic145.kiev.ua> 7667018 2001-12-13 08:58 +0200 /17 rader/ Michael Shigorin <mike@lic145.kiev.ua> Sänt av: joel@lysator.liu.se Importerad: 2001-12-13 19:49 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20131> Kommentar till text 7663126 av Marco van Berkum <m.v.berkum@obit.nl> Ärende: Re: Silly 'script' hardlink bug ------------------------------------------------------------ From: Michael Shigorin <mike@lic145.kiev.ua> To: bugtraq@securityfocus.com Message-ID: <20011213085846.C1567@lic145.kiev.ua> On Thu, Dec 13, 2001 at 12:02:36AM +0100, Marco van Berkum wrote: > the harddisk. For instance, a malicious user can place > a hardlink 'typescript' to /etc/passwd (or any other file) > in his home directory. If the root user would execute ...and no sane system will get /etc and /home on the same partition. Still, it's beloved `mitigating factor', not a solution. Just my 2 copecks. -- ---- WBR, Michael Shigorin <mike@altlinux.ru> ------ http://visa.chem.univ.kiev.ua/~mike/ (7667018) /Michael Shigorin <mike@lic145.kiev.ua>/-- Bilaga (application/pgp-keys) i text 7667019 Bilaga (application/pgp-signature) i text 7667020 7667019 2001-12-13 08:58 +0200 /35 rader/ Michael Shigorin <mike@lic145.kiev.ua> Importerad: 2001-12-13 19:49 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20132> Bilaga (text/plain) till text 7667018 Ärende: Bilaga till: Re: Silly 'script' hardlink bug ------------------------------------------------------------ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDuwtc4RBACxlNSx9OZBMYP0ujNPhteOUeywTh+6mKFsF9YlTHvf2bzH04qO QFZe/amacuRzp1HEvDlt+XWIZKnmCvdC3BG0fun2WeIBSsgyNbaZNgAg6b1YPojn FvYAngdSa6l7j5NgC6unF6TWmRK5X1vbKaicsTyC9cDDh9T9xOvB+mxBkwCg3zBb PPndZd9Qc0+xxOEZPUGS+ZED/jM/ekHdbGUFF8FRxK48tYbt7i43jterFCfM4AJr WBgPnOq9CjHjxhjsaOTwDWQV55oPUN84U2YXj6vZBqdnicV3tyzXCIvCLuWdXrUR cvNtwxwBlsDwGdJLhbaSHaLqwxTyb4sqzty5XkPHvJ//o/GMYKIq+5Uq2FMcoRaO NL8wBACa8lInwpFeVmJ26EZQ4jU1V2eSXRnioxeQlUfPbMkqqi2wXTlYKZ75tC3U eC0tgNbB5B+08CXJTmAPCRRcHGJcMEeg2fYHallkyi1KAUi0r2SUkVgq7gLdFeUT 6Y8l89/BUbGfDZJQHIqVmDqJDHWzApc0RODgaKrVT40bKpHwCrQmTWljaGFlbCBT aGlnb3JpbiA8bWlrZUBsaWMxNDUua2lldi51YT6IVwQTEQIAFwUCO7C1zgULBwoD BAMVAwIDFgIBAheAAAoJEG7Dw6a2DJtyNwwAn2pngYgurv6Cdnnld1SBMwXo/eyR AJ94e9xRzp9fVMc0xUCk4Q9tv3JL2rQzTWljaGFlbCBTaGlnb3JpbiAoS2lldiwg VWtyYWluZSkgPG1pa2VAYWx0bGludXgucnU+iFcEExECABcFAjuwtjMFCwcKAwQD FQMCAxYCAQIXgAAKCRBuw8Omtgybcv9PAKCcR5g/3Ioj6XVwXPuab4sitM5EzgCZ AYV1upXI6UQEDEC0Uhk4bO6FFG25Ag0EO7C16hAIALH+F+guVo0o7qE3lfyJm/3k YW7AfAeenScIDlHssWn7FabiO4ipDmqKg0zWmRmPO6p9vVXltrLe4PT7vapw+nUW 2EO5w/Fk/876k9yVGA5EP8PvnZj2ayTt5Yo7ldIEu35kcCp65goTueZbQIXfe62K BmqU/PfubtC6cgNr9h/c9x0O+P9YK3MjaGwfEbHcE5H7oNhGnL+opg7NEJfJOG9V 06QD63xZ+pTXfCGhkDpFBZW4HR0gJjX+utLME40vDQ/OxSwX99m7Okk0qApmkBe/ 3RW2+2F2V9SCLsmxx2hlrz5QlEJD10yFRLHXiANGyv1BQBbxZHWSVbLU1EjpiScA AwUH/1kWlkmpb56XocNbmAUP8FbwELO2iKHmFxNKsB/Gu3AJ01tavmSmtBSW6Ly9 M2fEjhRd7xEw4UNERMtCeuZBCMW3BPUnnE/mTR1EMWj4tKucUcAJEu89jh8X5Jy7 0PwealZM+w42R/iyvtSzzW2lWRJkz51rz0fF+PKG3w+O+FjE5f3tHkFYRf7fMvdD b3iP2HuutoaxYuw2nLKH3hFrSPzk5E//ID0KmEhLj207gM9xFV4YemNPNAOPhTRR s/PZjHowrg0MPY1MvSavIwKK5/9eVPHit/GpyPMWOWIqVhvskK/+ZUruGuAt5J4I yxwfZpK6b9UOLlRF6tQWLJOfHO6IRgQYEQIABgUCO7C16gAKCRBuw8OmtgybchqP AJwKW6fuEhrP7VosfMY6nR8q6h5GlACgjrP4Cprs4/ZIPFGybTNBRwWhYAM= =JpZw -----END PGP PUBLIC KEY BLOCK----- (7667019) /Michael Shigorin <mike@lic145.kiev.ua>/-- 7667020 2001-12-13 08:58 +0200 /10 rader/ Michael Shigorin <mike@lic145.kiev.ua> Importerad: 2001-12-13 19:49 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20133> Bilaga (text/plain) till text 7667018 Ärende: Bilaga till: Re: Silly 'script' hardlink bug ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8GFGmbsPDprYMm3IRAr9BAKCBwsdAHqw6vju7AsF9bF0khhasSgCfTLWY m9+hCsz5TZd762hNi7kIaJw= =myD5 -----END PGP SIGNATURE----- (7667020) /Michael Shigorin <mike@lic145.kiev.ua>/--