[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Symlink attack techniques
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Symlink attack techniques
- From: James Longstreet <jlongs2@xxxxxxx>
- Date: Thu, 15 Dec 2005 18:14:51 -0600
On Dec 15, 2005, at 7:09 AM, Werner Schalk wrote:
Ok I should have been more precise in my previous mail. In this
scenario I
don't have control over the output generated by the find command. So
basically the cronjob is something like:
15 4 * * 6 root /usr/bin/find /home/userA -type f -print > /tmp/
report.txt
Consequently as userB I have no way of influencing what information
is printed
by the find command to /tmp/report.txt but I can surely
control /tmp/report.txt. Any other ideas of how to exploit this to
gain root
access?
Since it doesn't seem like you can control what gets written to the
file, you probably can't directly get root access from there. The
output could have some ill effect if written to the correct file...
hard to know without knowing what the output is.
Of course, as was already suggested, you can be malicious and
destructive and destroy /etc/passwd (or any other file on the
system), but I don't see right away how to gain root from that.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/