[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Symlink attack techniques

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Symlink attack techniques
From: Joachim Schipper <j.schipper@xxxxxxxxxx>
Date: Thu, 15 Dec 2005 18:27:09 +0100

On Thu, Dec 15, 2005 at 01:09:49PM +0000, Werner Schalk wrote:
> Hi,
> 
> thanks for all the replies, I really appreciate this.

> basically the cronjob is something like:
> 
> 15 4  * * 6  root  /usr/bin/find /home/userA -type f -print > /tmp/report.txt
> 
> Consequently as userB I have no way of influencing what information is 
> printed 
> by the find command to /tmp/report.txt but I can surely 
> control /tmp/report.txt. Any other ideas of how to exploit this to gain root 
> access?

This is not generally possible. It's likely to viewed, though, and you
can attack the viewing application (bad email clients, old vim versions,
and most browsers apply).

Of course, symlinking it to /etc/passwd is fun but ultimately pretty
useless.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Symlink attack techniques
  - From: Werner Schalk
- Re: [Full-disclosure] Symlink attack techniques
  - From: H D Moore
- Re: [Full-disclosure] Symlink attack techniques
  - From: Werner Schalk

Prev by Date: RE: [Full-disclosure] Administrivia: Requests for Moderation
Next by Date: Re: [Full-disclosure] OT: Amazing, the Diebold insider said.
Previous by thread: Re: [Full-disclosure] Symlink attack techniques
Next by thread: Re: [Full-disclosure] Symlink attack techniques
Index(es):
- Date
- Thread