what you don't know can hurt you

wkit.joe.txt

wkit.joe.txt
Posted Nov 17, 2000
Authored by Patrik Birgersson | Site wkit.com

Joe's Own Editor File Link Vulnerability - If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link.

tags | exploit
MD5 | be8e7cf49d0d3008503014289c862566

wkit.joe.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


TITLE: Joe's Own Editor File Link Vulnerability
ADVISORY ID: WSIR-00/11-01
CONTACT: Patrik Birgersson, Wkit Security AB
CLASS: File Handling Error
OBJECT: joe(1) (exec)
VENDOR: Josef H. Allen
STATUS: Vendor not reachable
REMOTE: No
LOCAL: Yes
DATE: 13/11/2000
VULNERABLE: Joe's Own Editor 2.8
Other versions/configurations not tested


VULNERABILITY DESCRIPTION
If a joe session with an unsaved file terminates abnormally, joe creates a
rescue copy of the file being edited called DEADJOE. The creation of this
rescue copy is made without checking if the file is a link. If it is a
link, joe will append the information in the unsaved file to the file that
is being linked to DEADJOE, resulting in a corrupted file.


CONDITIONS
1. The malicious user must have write permissions in the directory where
the file is being edited, in order to create a link
2. The 'victim user' must have write permissions for the 'victim file'
3. The 'victim user' joe session must terminate abnormally
4. The file being edited must not have been saved


VULNERABILITY EXAMPLE
- - Root is logged in remote
- - Malicious user (X) notices that root is editing file.txt in /tmp
(where X has write permissions)
- - X creates a link from /etc/passwd (root = write permission) to
/tmp/DEADJOE
- - Root's connection is dropped or terminated under abnormal conditions
(for example: root halts the system) before file.txt is saved, the
editor will write a rescue copy to /tmp/DEADJOE
- - The editor won't check if /tmp/DEADJOE is a link, and appends the
content of file.txt to /etc/passwd


SOLUTION/VENDOR INFORMATION/WORKAROUND
No information available.


CREDITS
This vulnerability was discovered and documented by Christer Öberg and
Patrik Birgersson of Wkit Security AB, Håverud, Sweden.

Other advisories from Wkit Security AB can be obtained from:
http://www.wkit.com/advisories/


DISCLAMER
The contents of this advisory is copyright (c) 2000 Wkit Security AB and
may be distributed freely, provided that no fee is charged and proper
credit is given. Wkit Security AB takes no credit for this discovery if
someone else has published this information in the public domain before
this advisory was released.
The information herein is intended for educational purposes, not for
malicious use. Wkit Security AB takes no responsibility whatsoever for the
use of this information.


ABOUT THE COMPANY
Wkit Security AB is an independent data security company working with
security-related services and products. Wkit Security AB plays a leading
role in the development of security thinking, regarding internal and
external data communication at companies and other organizations that
store sensitive information.
The company consists of two divisions: a service division, performing
security analysis and security reviews, and a product division. We work
together with strategic partners to bring programs and services into the
market.
Our services and products are continuously developed to optimally follow
the world demand for IT security.


30 DAY DISCLOSURE
Whenever Wkit Security AB finds any security related flaws in operating
system, or application, we will provide the vendor responsible for the
product with a detailed Incident Report. We believe that 30 days is
appropriate for the vendor to fix the problem before we publish the
incident report on our own web page and other mailing lists/websites we
find suitable for the majority of the worldwide users. If the vendor has a
reasonable cause why they can't fix the problem in 30 days we can, after
discussion, agree on a longer disclosure time.


ACKNOWLEDGEMENTS
Wkit Security AB's highest priority is for the public security, and will
never release Incidents Reports without informing the vendor and give them
reasonable (30 day) time to fix the problem. In general, Wkit Security AB
follows the guidelines for reporting security breaches we found on the
vendors homepage or similar.
We urge vendors that in the same way we follow their guidelines, that the
vendor informs us about the solution; if possible, 2 days before the
fix/solution will be presented for the majority. This gives us the chance
to prepare our web page to inform about the Incident and to present a
solution in the way the vendor suggest at the time when it is present for
the majority.


CONTACT
Wkit Security AB should be contacted through advisories@wkit.com if no
other agreement has been done. Every incident report is assigned a report
number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one
responsible contact person from Wkit Security. When communicating with
Wkit Security AB in the matter of the Incident Reports, be sure to add the
WSIR number in the email to avoid any problems.


***************************************************************************
Wkit Security AB
Upperudsvägen 4
S-464 72 Håverud
SWEDEN

http://www.wkit.com
e-mail: advisories@wkit.com
***************************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/
lhge4y3XCAroyWUA004N/acM
=LYU/
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close