From proff Tue Sep 3 19:51:16 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id TAA06227 for best-of-security; Tue, 3 Sep 1996 19:51:16 +1000 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id TAA04728; Tue, 3 Sep 1996 19:26:28 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id WAA16000; Mon, 2 Sep 1996 22:49:30 -0700 (PDT) Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23995-710>; Tue, 3 Sep 1996 01:42:05 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id BAA15017; Tue, 3 Sep 1996 01:43:25 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 324712 for BUGTRAQ@NETSPACE.ORG; Tue, 3 Sep 1996 01:36:31 +2000 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id BAA13486 for ; Tue, 3 Sep 1996 01:27:56 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by netspace.org (8.7/8.6.12) with SMTP id WAA27884 for ; Mon, 2 Sep 1996 22:16:14 -0400 Received: by mercury.Sun.COM (Sun.COM) id TAA10284; Mon, 2 Sep 1996 19:16:11 -0700 Received: from sunsvc.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) id KAA15145; Tue, 3 Sep 1996 10:17:34 +0800 Received: from elan.Singapore.Sun.COM by sunsvc.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id KAA07603; Tue, 3 Sep 1996 10:15:07 +0800 Received: by elan.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id KAA01267; Tue, 3 Sep 1996 10:16:56 +0800 Approved-By: Shyne-Song Chuang Message-ID: <199609030216.KAA01267@elan.Singapore.Sun.COM> Date: Tue, 3 Sep 1996 10:16:56 +0800 Reply-To: Shyne-Song Chuang Sender: proff From: Shyne-Song Chuang Subject: [BUG] Vulnerability in TIN To: Multiple recipients of list BUGTRAQ Hi everyone, I am not sure if this is a known vulnerability, but the newsreader tin also has a problem with mode 666 temp files. The standard distribution creates /tmp/.tin_log by default, and can be abused to create any file writable by the tin user. Existing files can be overwritten and made world writable as long as this is so. The tin user's account can similarly be compromised with the creation of an .rhosts file as with other recent exploits of the same nature. This bug is less convenient to exploit than the others since the log file is created only by the first person to run tin before .tin_log exists. Subsequent tin users are appended to this log file. It would therefore take some guess work to determine who this first tin user would be. This is perhaps easier to accomplish on a dedicated user workstation. The opportunity to exploit tin would be after each reboot when /tmp is cleared up. This problem affects tin 1.2 PL1 and the current PL2 as well. Here's the offensive source code: joinpath (log_file, TMPDIR, LOG_USER_FILE); if ((fp = fopen (log_file, "a+")) != (FILE *) 0) { time (&epoch); fprintf (fp, "%s%s: %-32s (%-8s) %s", VERSION, PATCHLEVEL, #ifdef M_AMIGA get_val ("REALNAME", "Unknown"), get_val ("USERNAME", "Unknown"), #else buf, myentry->pw_name, #endif ctime (&epoch)); fclose (fp); chmod (log_file, 0666); } Rgds, Song